Wiz's Computer and Website Security Blog

March 11, 2019

For a week or so, an email scam has been making the rounds claiming that a hacker has compromised you computer and caught you doing nasty things with yourself while watching porn videos online. He or she threatens to expose you (no pun intended) unless you pay a ransom of between $1000 and $2000 US in Bitcoins.

While this may cause some people to panic and pay up, most will see it for what it really is: a pathetic sextortion scam. Nobody hacked your computer or planted a video watching virus on it. This is FUD (Fear, Uncertainty and Doubt). But, because these scams are arriving in huge numbers, to multiple mailboxes, it is worth our time to create an email spam filter that detects and even auto-deletes these messages.

This article is mainly presented for MailWasher Pro users, but can also apply to any other email client that allows users to create spam filters from email headers. Think web server email systems...

If you don't use MailWasher Pro, but want to create this spam filter for another email client, or on your website's email server, read these articles I wrote in 2017:

1. Use RegEx to filter spam from your mail server - part 1


2. Use RegEx to filter spam from your mail server - part 2

Continue reading "A simple spam filter for the current Sextortion scams making the rounds" »

Posted by Wiz at 3:31 PM | Permalink

back to top ^

March 9, 2019

If, like me, you use Firetrust's MailWasher Pro to screen your incoming email for spam, scams and malware, you may have discovered that it allows users to create custom spam filters. This article will give you some tips to get the most out of your custom spam filters.

The program, currently at version 7.12.1, ships with 4 default spam filters that one can customize, add to, enable, or disable. The most important of them is the first one: "Restored Email" - which comes into play after an email has been deleted to the MailWasher Recycle Bin and you later decide that you want it delivered to the Inbox. The filter description says: "Will ensure any email you restore from Recycle Bin will come through marked as good and not marked for delete." You should keep this filter enabled.

The Restored Email filter stops all further filter processing, allowing that restored email to appear and stay in the Inbox and not be automatically deleted by another filter. This is because MailWasher filters are processed from the top on down.

The second default filter is named: "Language Filter" and it is used to block non-English language character sets. The description says: "Currently set for many non Latin languages. You can edit this filter to your own preference." The single rule has a drop down arrow on the right side that opens a menu of languages to block, each prefaced with a checkbox. Select all those you want deleted and press Save.

The third default filter is labeled: "Not to me." The description is: "Looks for messages that are not addressed to you on either the To or CC lines. You need to edit this to include all your own email addresses in use." There are three sample email addresses that need to be changed or deleted. Add as many of your email addresses that you want this filter to inspect. I would use this filter with caution because a lot of professional email lists may not show individual email accounts in the To field. If you enable it, don't set it to auto-delete or you may end up restoring legitimate emails from the Recycle Bin.

The last and newest default filter is called: "Hide & Delete." You have to edit the rules to include sender email addresses, subjects, domains, and/or TLDs that you want hidden and/or auto-deleted upon arrival. These actions are chosen by clicking on the "Actions" tab on top of the filter.

Those are the default filters that come with MailWasher Pro. The rest of this article delves into custom, user created filters.

Continue reading "Tips for sorting your MailWasher Pro spam filters" »

Posted by Wiz at 2:03 AM | Permalink

back to top ^

September 16, 2018

If you run a website hosted on an Apache web server, and are using the domain for email, and are using cPanel as your control panel, you most likely have a section labeled "email" which contains a link labeled: "Account Filtering." In this article I will share some filters I made to block email spammers.

A domain name is an alpha-numeric name that has been chosen and registered — by an individual or legal entity — with an accredited domain registrar to represent a web property. "Example.com" is a sample of a domain name. A domain name can be parked until it is needed for use as a website, or can simply be a pointer/shortcut to an active website that has a different name.

Many people choose to send and receive email through a domain and website they own, or administer, or for which they act as the Webmaster. If your domain name represents a business, sending email from that domain looks more professional than using a free email system (gmail, hotmail, live.com, etc).

However, as usually happens to active email accounts, some or all of your domain email addresses will eventually be captured by email harvesting bots and added to spam lists. If you have multiple email accounts for your domain, they may all receive the same, or related spam messages at the same time. If you are a busy person trying to read business messages, these spam emails can become a serious nuisance. Some well written spam filters can put a big dent in the amount of spam emails getting through to your inbox. Here's how I do it.

Continue reading "Block spam sources from your website's email server" »

Posted by Wiz at 4:33 PM | Permalink

back to top ^

May 8, 2017

Just when you thought that all the gullible people have wisened up, another pump and dump email scam emerged on April 11, 2017. This one was pumping up a Pink stock with the trading symbols: QSMG. The company owning those symbols is Quest Management, Inc., which was based in Latvia at the time of this writing.

Quest Management lists its company profile as the following:

Quest Management, Inc. engages in the development of marketing channels to distribute fitness equipment products to wholesalers online. The company was founded on October 12, 2014 and is headquartered in Malta, Latvia.

Seven days before the pump campaign began, on April 3, 2017, QSMG stock was worth $1.05 per share. One week later, they issued a press release about their intent to purchase a little known biotech company and their stock soared up to $2.33 on April 13. Remember, QSMG deals in fitness equipment, not medicine. Somebody, or a group of people conspired to blow that announcement way out of proportion via fake news in a huge email spam blast that began on the morning of April 11, 2017. The details will fascinate you as you delve into the twisted minds of pump and dump scammers and their fake news writing techniques.

Continue reading "Another Pump and Dump scam bites the dust (QSMG)" »

Posted by Wiz at 1:35 AM | Permalink

back to top ^

February 2, 2015

Prologue
This article is about what is known in the spam fighting trade as a "spear phishing" scam. That means that the message has been custom researched written to target a particular person by name, whom the spammers deem to be important to their evil goals. While my experience deals with Bluehost, if you own a website hosted by another major web hosting company, you may receive a similar email scam message.

The email in question was lingering in the Spam folder of my Gmail account. This is just E Pluribus Unum of the email accounts I use. When I first read the Subject and From lines I thought it might possibly be a legitimate message that got sent to the Spam folder by accident. I was wrong and Gmail was right!

I actually first saw the scam email on my Android smartphone. Although it seemed mildly plausible, some things about the body text aroused my suspicion and raised my bullshit detectors to full height. I will post the contents in my extended content and explain each item that should arouse your suspicion if you receive a similar email message.

The Hook:
From: Bluehost <[email protected]>
Subject: Status Alert: Code: 2502

Body text:

Dear Valued Bluehost Customer (My actual first and last names here!).<!--bhuzxuwtbw-->

Your account contains more than 9191 directories and may pose a potential performance risk to the server.
Please reduce the number of directories for your account to prevent possible account deactivation.

In order to prevent your account from being locked out we <special> recommend that you create special</special> tmp directory.

Or use the link below:

https://my.bluehost.com/tmp.php?doit=dfc7defac6624a80f02b02e22b14e8fd

Thank you,
Bluehost
Toll Free: (888) 401-4678
Outside US: 1 (801) 765-9400

Continue reading "Spear Phishing spam is targeting Bluehost customers" »

Posted by Wiz at 3:17 PM | Permalink

back to top ^

September 14, 2014

This is a brief article describing a technique I use to block the current spate of email spam containing links to domains ending in the .EU (Europe) extension. It also demonstrates how to block certain other domains commonly used by Russian and Ukrainian spammers and cybercriminals.

I'd like to point out that spam operations that are based in Russia and The Ukraine have for a long time been setting up websites ending in the domain extension .RU (Russia). I still detect and delete a lot of .RU domain link email spam messages. But, the trend seems to be shifting now to spammers registering domains ending in .EU (Europe). Perhaps the rules for registering those domain names is less stringent than those required to obtain a .RU domain (Proof of Russian citizenship or residence).

Whatever the reason for the change in domain extensions, the outcome is the same. If you click on a link in an email spam message for weight loss panaceas, the .EU web page you land on will look exactly the same as one ending in a .RU domain name. That's because almost all of the weight loss scams and fake pharmacy sites are built using the same templates. Even the script names are the same on most of these spamvertised websites.

If your email system/provider/client allows you to create Regular Expressions spam filters, use the ones I've created to block virtually all spam containing links to .EU (and Russian) domains.

Continue reading "Use a Regular Expressions filter to block email spam for .EU domains" »

Posted by Wiz at 4:03 PM | Permalink

back to top ^

September 7, 2014

One week after the second pump and dump stock scam failed to take off in the same month, spammers have reverted to one of their long time standbys: weight loss and fake pharmacy spam.

Here's some background information to bring you all up to speed. During August, 2014, spammers who play the "Penny Stocks" conspired and purchased huge amounts of two little known companies, which I wrote about here and here, at extremely low prices per share. They then rented a "Botnet" that enslaves hundreds of thousands, to millions of infected personal and business computers to blast out huge volumes of spam email messages promoting those stocks. If you are reading this, you are probably a recipient of penny stock email scams.

In essence, these people use fake news and outright lies to pump up excitement in the stocks they have purchased on the cheap. Using flamboyant terminology, stock spammers try to generate a sense of ground-floor urgency in their messages, promising huge returns of investments to the spam recipients. What most folks may not realize is that these messages are part of a "pump and dump" scam, where the only winners are the puppet masters pulling your strings. They set target prices and sell out once those targets are reached. This happens when enough people are fooled into throwing their money away by purchasing a much of the worthless stocks as they can afford.

Once the scammers sell off their shares, at a profit thanks to the "scammees," the value per share drops through the floor, and fast. There is usually a flurry of activity as victims try to sell out to late comers before they lose everything. In a few days, it is over and the stock tanks.

When the pump and dump scams end, spammers turn to other usually profitable scams, like the current blast of weight loss herbs and illicit prescription drugs sold through Russian fake pharmacies..

Continue reading "Pump & dump scam fails, so Spammers revert to weight loss spam" »

Posted by Wiz at 1:17 PM | Permalink

back to top ^

August 21, 2014

Right now, in the middle of August, 2014, weight loss scams are the prevalent type of email spam flooding our inboxes. This trend has been going on for several weeks now. If you are tired of manually deleting this crap, check out my custom email spam filters for MailWasher Pro.

What is MailWasher Pro?

MailWasher Pro is a software anti-spam solution that runs on Windows computers and on smartphones. It works with email "clients" that use the POP3 and IMAP email systems. The program acts as a gatekeeper, or doorman, intercepting your incoming email messages before you download them into your actual chosen email reader. It evaluates the content of incoming messages, using multiple methods of detection, to determine if an email is (probably or absolutely) good or spam. If it is evaluated as good, it is listed as such in the MailWasher Inbox, in a green bar. If it is determined to probably or absolutely be spam, it is marked as spam, in a light red colored bar.

MailWasher uses a friends list, a blacklist, consults SpamCop and other major spam reporting organizations, and even maintains its own FirstAlert spam detection system. It contains a Bayesian detection (learning) filter that you can help train to determine what you consider to be good or bad email.

I have been a registered user of MailWasher for a really long time; almost since version 1. One of the other methods it uses to determine if a message is a goodie or a baddie is through user composed spam filters. The program contains all the necessary analysis routines to parse the entire source code of each incoming message and check it for words and phrases, whether in plain text or regular expressions, to mark them as spam, or allow them through if there is no match. You still have the final say.

Continue reading "My email spam filters catch 100% of weight loss scams" »

Posted by Wiz at 12:55 AM | Permalink

back to top ^

August 1, 2014

I just discovered an email scam that harvests the email addresses of active accounts, simply by opening an apparently blank message. The message contains no visible content or links, yet steals your email address and adds it to a database used by spammers.

How does the blank email steal your email address?

Each of these messages I have intercepted contains a simple subject, like: Whatup," or "What's up?" The From contains somebody's first name, like Dwight, Joan, etc. You won't recognize the domain it spoofs. The body text is blank to the eye, although there are a few lines of HTML code that don't render anything when displayed in your email client.

There is an image tag embedded inside these messages, but no image is displayed. That is because the alleged image is actually a php file named unsubscribe.php. The email address of each intended recipient is hard coded into the "query string" appended to /unsubscribe.php. If you simply preview these messages in an HTML capable email reader that allows images to be downloaded, your email address is sent to that file and is instantly added to a spam database.

The domains currently being used end in the .us extension and begin with "more." The servers are in a colocation datacenter. Thus far, one of their accounts has been suspended and says so if you investigate the URL

The purpose of this spam run is to accumulate a fresh list of active email accounts to be used in upcoming spam runs. Judging by the size of the list - plainly readable on the server - a lot of people are being tricked into adding their email accounts to the list.

Continue reading "Email addresses being harvested by blank email" »

Posted by Wiz at 11:23 AM | Permalink

back to top ^

June 23, 2014

Unless you're one of the people who hasn't opened their email inbox lately, or you subscribe to a spam filtering service, you are probably well aware that there is an ongoing penny stock pump and dump scam flooding email inboxes.

This particular spam run is pumping a little known stagnant stock trading as RNBI. This scam has been happening for most of the last week and continues as of this writing. It has already been covered by Dynamoo's blog and several other spam fighters. This stock was discredited shortly after its initial pump campaign, about a month ago. It is in effect, a shell company. The big players already own all the stock and are trying to pump it up then sell out at a profit, leaving Internet investors (the marks) as big losers.

The pump and dump spam emails often forge the name of well known stock trading companies and communities, like "Investors Hub." Today, they were using the "From" name: Money Runners. Tomorrow it will be some other forgery. Also, I have found that the messages including clickable links were all to non-existent domains. A scam all the way through!

At first, the spam emails mentioned the stock by its trading symbol. This only lasted about a half day. The next wave shifted the stock symbol to the "alt" attribute of an embedded image, in the html version of the body text. That persists today in some of the messages I captured. Basically, these scams are image spam, but containing gigantic paragraphs of nonsense sentences having nothing to do with stocks. Most of this junk text is buried behind a green or other colored background, below the actual spam image, which contains grandiose wording and the pumped stock symbol.

Today, I saw a brand new tactic used by the spammers to try to evade detection (it didn't work on me guys). Some of the spam emails are now using attached virtual business card files to carry the scam message. To avoid seeing the come-on, don't click on the link to open the attachment card. Avoid getting involved with pump and dump scams, unless you are prepared to part with most or all of the money you invest in them.

As always, I have been on this scam since I first saw it, updating my spam filters for MailWasher Pro users. I will continue to update my filters to fight this scam until it runs its course and disappears like they always do (when the perps cash out). If you don't use MailWasher Pro to filter out spam, and you use a desktop "POP3" or "IMAP" email client (program other than a browser), and you only have rudimentary spam filter rules provided by the email client, MailWasher Pro will be of use to you. There are both desktop and mobile versions available.

If you don't or can't use MailWasher Pro, perhaps because you only do email via http using your web browser, you may still gain useful insight by examining my spam filters. Using my spam filter conditions as an example, you may be able to cobble together some spam filters on your own, applicable to your email provider's user options.

Posted by Wiz at 12:44 PM | Permalink

back to top ^

December 26, 2013

It has been a month since my last blog article. During that time I have been pursuing other interests that demand much of my time. We all need to do what we must to earn a living and pay our bills. That said, here is a roundup of the security threats ans scams coming to you via your email inboxes during the Christmas shopping season of 2013, in order of the danger posed to recipients.

The most dangerous email threats are those with links leading to malware attacks, or Trojan downloads, or with file attachments containing malicious payloads. Examples of such threats that I have captured this month are as follows.

1. Costco Wholesale scam, claiming a failed delivery, spoofing "Costco Shipping Manager" as the sender, but with a totally non-Costco email domain. The message body states that the delivery of a Costco order (e.g.: COS-0034851919) was canceled due to an incorrect address.The scammer asks you to complete a form and send it back to them. The link provided goes to a compromised website where a zip file conceals an executable file that is a malicious Trojan installer.
2. BBB Fraud. This recurring fraud spoofs the Better Business Bureau, showing the sender as: Better Business Bureau with account names like: [email protected]. The subject is akin to: FW: Complaint Case 158402349343. As in most of these scams, the body text starts off with: "The Better Business Bureau has received the above-referenced complaint from one of your customers regarding their dealings with you." The ones I saw this month contained hostile zip file attachments (e.g.: Case 463252349343.zip) containing Trojan installers.
3. Dun & BradStreet Fraud. This scam is directly related to the BBB fraud mentioned above and is sent by the same spam gang. The sender is spoofed as: "Dun & BradStreet ([email protected])." The subject is something like: "FW : DNB Complaint - 0582564." Using similar language as the BBB scams, the body text contains this come-on: "Dun & Bradstreet has received the above-referenced complaint from one of your customers regarding their dealings with you." They also contain hostile file attachments, with names like: "Case_0582564.zip."
4. My CV Scam. This scam attempts to fool employers or hiring agencies into opening a hostile file attachment, which the sender claims contains their resume in "CV" format. I doubt that anybody in the USA would be stupid enough to fall for the horrible language used in these scams, with text like this: "Hello, I sent you my detailed CV. I hope you will like me I am the winner of different beauty contests. My photos are added as images in the document, I need this job very much. Waiting for your soonest reply, Kisses, Chloe Mason"

Continue reading "Email scams circulating during Christmas season 2013" »

Posted by Wiz at 1:45 AM | Permalink

back to top ^

October 6, 2013

Today, October 6, 2013, I published a large update of my custom spam filters for MailWasher Pro, a desktop and mobile device spam-filtering program.

Normally, I may update a couple of my spam filters a week and create a new filter once a month. However, due to a sudden enormous increase in the amount of spam for pharmaceuticals, plus malicious messages, I have created 5 new spam filters and changed the names of two existing filters.

The new filters deal specifically with new botnet spam templates used to promote the fake "My Canadian Pharmacy," along with other fake pharmacies selling illicit prescription drugs and useless diet capsules. Also, I created a new filter to detect a variation of a malware link scam.

New Spam Filters

Continue reading "Wizcrafts' MailWasher Pro spam filters updated today" »

Posted by Wiz at 3:32 PM | Permalink

back to top ^

September 15, 2013

For the past few weeks, email spam categories have remained fairly constant, with a steady flow of spam promoting weight loss pills, pump and dump scams and several malware threats, in attachments, or via links.

Changes over the past week or two include a shift in the domain names used to promote illicit weight loss drugs. Originally, this type of diet spam had domain names that included the words green coffee in the prefix and .PL (Poland) as the TLD extension. After a while, the domain extensions were changed to other country codes, such as .NL (Netherlands), .EU, and finally, .RU (Russia). The scams are all part of an underground pharmacy program run out of Russia, with unscrupulous affiliates who rent the use of botnets to spam out their affiliate encoded links to unsuspecting recipients around the World. It is no surprise to me that all of the domains now being used in email spam links for weight loss soultions are in fact .RU; Russian domain names.

While the spam templates and wording may change from week to week, to landing pages do not change. All are the exact same affiliate landing page for green coffee bean extract; a potentially harmful substance that causes a lot of people a lot of misery (not to mention that they are out the money to Russian mobsters).

How to spot a typical Russian domain link in a spam message

Here is a sample of the spoofed sender, subject, and links currently being used to promote illicit green coffee beans:

From: "OzMagazine Daily"
Subject: You Can Do It! Start Today!

Try it today! h**p://6c3f.REMOVED.ru/?5EEA2761DC

I deactivated the http part and removed the actual domain name (which changes daily), but left the sub-domain in place. This is the new structure the spammers are employing. They present a link in plain text or html code, with a sub-domain, a domain, then a .RU extension, a forward slash, then their affiliate code as a "query string." This earns them commissions whenever they trick a recipient into purchasing this worthless product.

It is worth noting that .RU domain extensions are only assigned to Russian registrants, who have physical addresses and identities in Russia. I can't buy and register a Russian domain, unless I get someone who lives in Russia to put it in his or her name. The cybercrime and fake pharmacy underground is alive and well in Russia!

Continue reading "Spam and scam roundup for week ending Sept 15, 2013" »

Posted by Wiz at 5:23 PM | Permalink

back to top ^

August 18, 2013

Last week, I wrote two articles (1 - 2) that revealed that the amount of spam for green coffee bean extract had been surpassed by a big pump and dump campaign, which was pushing two different stocks. Now, the pattern has reversed and weight loss spam exceeds pump and dump.

Regarding the weight loss scams; they no longer mention green coffee bean extract in the spam message bodies. You find this out if you click on the links, which have also morphed from Polish domains (.pl) to Russian domains (.ru). The rest is the same stuff, using Russian underground affiliate template web pages, hosted on Russian web domains. Most of the diet scams I saw this week are spoofing Dr. Oz as the sender, using a couple of different spellings. The message bodies even claim to be official Dr. Oz newsletters, which they are NOT! All of the details are bogus, as is the diet formula they promote.

Note: I researched Green Coffee Bean Extract and found reports on real forums (like WebMD) where most of the people using it got sick from it, until they stopped taking those capsules. The only weight loss was from vomiting, etc.

Pump and Dump

The new pump and dump scam emerging over the last few days is a scam promoting a stock with the symbol MONK. The two previous campaigns seem to be mostly abandoned, after they failed to make the expected profits for the scammers running this dog and pony show. If you are smart, when you see emails promoting MONK, with or without underscores and/or spaces between the capitalized letters, don't be fooled into thinking they are legit. They are scams, run by professional con men, all of whom have conspired to purchase large volumes of shares in the penny stocks they pump up.

As always, the goal of a pump and dump campaign is to pump up interest in a stock, using botnet sent spam messages, driving up the volume of transactions and the value per share. When the value reaches an agreed-upon price, the scammers all sell off their shares, turning a profit for themselves, at the expense of everybody else whom they suckered in.

Today's take-away

1: Green coffee beans won't help you lose weight, but will sicken you and lighten your wallet.
2: Getting involved with a pump and dump stock scam will lighten your bank account when it fails. Further, these are Ponzi Scams, under US law.

Posted by Wiz at 4:46 PM | Permalink

back to top ^

August 11, 2013

Last week I wrote about a new "pump and dump" spam campaign being used to artificially inflate the value of a penny stock, with the trading symbol IMTC (actually renamed to IMTCQB). Spam for this penny stock has exploded over the last week, overtaking all other categories.

The pump and dump email messages are sent by anonymous persons, using spoofed sender information and compromised computers, making grandiose claims about the potential profits for investors. Despite not revealing their actual names, the scammers often use the first person in the subjects or body text, with phrases like "If this company doesn`t Bounce I will RETIRE!"

The purpose of these anonymous email spam messages is to pump of the value of a low value stock by means of trickery, until it peaks. The people behind these stock spam campaigns purchase large volumes of a targeted stock when the price is very, very low. At an agreed upon time they compose an email spam campaign and rent a botnet to disburse fake news and innuendo about the potential trading value of that stock.

Eventually, after enough people have been fooled into investing in this risky endeavor, the value per share goes up, often substantially, in a short time. Then, when the value appears to have peaked, or reaches an agreed upon value, the scammers sell off (dump) all of their holdings at a profit, leaving the later investors holding the empty bag. Thus, it is no surprise that on the Otcmarkets.com page for IMTC, a black skull and crossbones is displayed, with the Caveat Emptor hover text beginning with: buyer beware.

The latest incarnation of these spam messages goes to great length to try to fool potential investors with long paragraphs written in broken English (by scammers whose native language is not English). They are now even including a paragraph of disclaimer language, again using poor English grammar. This should act as a red flag for any North American English reading potential investors (who are the primary targets of this campaign)!

The following is a direct quote, bad grammar included, from one of this weekend's email scams promoting the IMTC stock.

Continue reading "It's time for a reality check regarding IMTC pump and dump stock campaign" »

Posted by Wiz at 12:52 PM | Permalink

back to top ^

August 9, 2013

In my previous article about the types of spam I was intercepting, most of it was promoting a dubious and often dangerous diet herb called green coffee bean extract. The next most seen category of spam was for "pump and dump" stock scams.

However, there seems to be a change in spam topics happening this week. Now, the fat burning scams are greatly reduced, while the pump and dump scams have quadrupled. In fact, the Eastern European stock scammers are now trying to manipulate two penny stocks at the same time. Using fake news and bogus forward looking statements, they are drumming up interest in the two targeted stocks (in which they have invested) in the hopes of conning new investors into buying shares valued in the penny range, driving up the value, just so that they (the scammers) can dump their holdings when the price peaks. The people who are fooled by these spam messages will lose all of their investments as the stock crashes.

This destruction of a stock's value has already occurred, when the same people pumped and dumped a stock with the symbol HAIR. They are now in the process of destroying the value of two other companies: BLDW and IMTC. If you receive an email promoting any of these stock symbols, delete it without a second thought. the stocks will not rise to the projected values listed in the spam messages. You will not get rich (the opposite will happen). The "big news" they often mention is an invention of professional con men.

Note: all of the pump and dump scams this year have placed underscores between various letters in the four letter symbols. This is done to attempt to fool spam filters. But, they don't get past my regular expressions spam filters that I write and publish for MailWasher Pro users. If you aren't already using MailWasher Pro, I invite you to check it out.

Continue reading "Spam for green coffee extract is down, Pump & Dump & Money Mule scams are up" »

Posted by Wiz at 12:59 AM | Permalink

back to top ^

July 28, 2013

I haven't posted my email spam findings for a couple of weeks, mainly because the details haven't changed much since my last post.

In a nutshell, approximately 70% of my spam is weight loss "newsletters" that lead to Polish domain (.pl) web sites selling green coffee bean extract (a potentially harmful herb). These fake newsletters spoof well known TV personalities, like Dr. Oz, to persuade potential "marks" that the links are trustworthy.

The next most frequent type of spam continues to be an ongoing pump and dump penny stock scam, run out of Eastern Europe. The scammers continue to cause a devaluation of a particular penny stock, dropping its value from about 25 cents all the way down to a fraction of a cent. Normally, these scammers move on to another stock, which it appeared they were going to do. But, something happened and they have turned their attention back to the stock they pumped to death a month ago. A lot of investors lost a lot of money when the dump occured and many more may become victims of the ongoing scam, unless they are made aware that the odds are stacked against them by professional con men.

There are still a few Nigerian 419 scams making the rounds, trying to find gullible people who are willing to part with their money in the hopes of making millions left by somebody's allegedly dead relative overseas.

Finally, there were a few dangerous scams that contained links leading to malware exploit kit attacks. The destination web sites contain JavaScript routines that probe computers for unpatched versions of Java, or Adobe Reader or Flash, or particular exploitable Windows operating system files. If any of the targeted software is found on a computer, a malicious payload is downloaded and run. The next paragraph explains how this happens and what you can to to mitigate your risk.

Continue reading "Email spam roundup for week ending on 7/28/2013" »

Posted by Wiz at 4:42 PM | Permalink

back to top ^

July 14, 2013

This past week has seen a major increase in the amount of email spam for weight loss herbals, all of which are promoting a possibly dangerous and expensive green coffee bean extract.

I investigated this so-called miracle diet herb and ended up on WebMD. There, real users posted their findings, which are diabolically opposed to the rosy picture painted by the affiliate web pages promoting this junk. A lot of people taking green coffee bean extract got sick from it. Almost no one lost weight, except from having cramps, diarrhea, or vomiting, which stopped when they stopped taking the capsules. These are not a miracle weight loss solution. They are mostly a ripoff. Anybody buying this stuff as a result of a spam email will be enriching the spammers who are paid affiliates in the underground pharmaceuticals trade. If you must try this green coffee shit, you can buy it super cheap from your local Walmart (less than half the price of the spamvertised bottles). Then return it when it makes you sick.

The next busiest category of spam is sent from the former Soviet Union, where miscreants are running an ongoing penny stock pump and dump scam. They have succeeded in running the last stock they pumped, HAIR, into the ground. They are just now launching a different scam campaign pumping, then dumping another penny stock, trading as NOST, which will be run into the ground as well. A lot of suckers are taken in by these pump and dump scams and most lose all of the money they invested. Please don't fall for a pump and dump scam! The odds are stacked against you.

Continue reading "Email spam and scam roundup for the week ending July 14, 2013" »

Posted by Wiz at 5:20 PM | Permalink

back to top ^

June 30, 2013

The overall volume of spam over this past week is greatly reduced, to say the least. Not only have the type of spam subjects become fewer, but the number of malware threats has dropped as well.

The few malware threats that arrived in my MailWasher Pro Inbox were in the form of attached zip files pretending to contain Better Business Bureau complaints (Subject: FW: Complaint Case 2UBG8353D9XLI0Z) or an ADP Payroll invoice (Subject: ADP Payroll INVOICE for week ending 06/21/2013).

Malicious files in email attachments are best managed by an up-to-date anti-virus program that can monitor incoming email messages, as well as files you open before running, such as zip and pdf files. I personally use and recommend Trend Micro Internet security products. It uses "in the cloud" malware definitions for the newest threats, so it doesn't bog your computer down with what would otherwise be a huge virus database on your hard drive (and loaded in RAM memory).

Also, if you operate your computer with less than Administrator privileges, and keep your bullshit detectors on high, you will be about 90% less likely to get infected by most malware, especially the silent install type. The B.S. detectors are for when an installer pops up a UAC prompt asking for the Administrator password to continue.

Continue reading "Email spam, scam and threat round-up for week ending on June 30, 2013" »

Posted by Wiz at 4:33 PM | Permalink

back to top ^

June 9, 2013

Since the recent forced shutdown and seizure of Liberty Reserve, a major payment portal used by cybercriminals (and also, unfortunately, many innocent people), spammers and scammers have been experiencing trouble getting paid their ill-gotten money. Nonetheless, certain types of spam continue to flood our inboxes, as shown in this article.

My stats are derived from MailWasher Pro, which is a desktop POP3 and IMAP spam filter that goes between your email server and your email client. The classifications of spam come from spam filters I write and publish for use by other MailWasher Pro users.

SPAM

This week the majority of spam was for counterfeit or useless drugs, most with domain names that begin with "greecoffeeultra." These domains are often registered on the day you begin seeing spam claiming you only have 24 or 48 hours to act, or some similar garbage subject. I did some research into a few of these domains and learned that the ones arriving today were just registered a few hours earlier and are set to expire in just two weeks. The "Registrar" is listed as Domain Silver Inc., in the Seychelles. It is very unusual to allow such a short registration period and it is no surprise that spammers are attracted to this company.

The From addresses are composed in two parts. The first shows a name, like iWellHealth, GreatHealth, or something similar. The second part is the email address, which is totally bogus. They are composed of about 10 or 12 characters of random upper and lower case letters, followed by three digits, then some imaginary or real domain name. I have updated my MailWasher filter for "Known Spam [From] to detect and auto-delete these messages so you don't have to deal with them.

Most of these "greencoffee" domains end in the extension .pl - which stands for Poland. The websites are hosted in the Ukraine and did not return any results when I checked them. But, they are active websites and may be populated with illicit content at any time.

Other drug spam is for Russian domains (.ru), which are only supposed to be registered to Russian citizens. The websites at the end of the links were mostly hosted in ...The Ukraine. They have a big spam hosting problem there.

Continue reading "E-mail spam and scam roundup for June 3 - 9, 2013." »

Posted by Wiz at 3:28 PM | Permalink

back to top ^

May 26, 2013

This past week has seen the return of Russian fake pharmacy spam, including the long-dead "Canadian Pharmacy" name. There was a short lull in this type of spam while other categories of junk email were being deployed; mostly pump and dump stock scams.

Russian pharmacy spam (and all other types) is sent from zombie computers that have become infected and involuntarily made part of spam "botnets." The bot-masters who own these botnets rent them out to spammers who are affiliates for various underworld networks that promote all manner of counterfeit goods (watches, handbags, shoes), illicit prescription drugs, Chinese weight-loss herbs, Russian, Ukrainian and Asian "dating" networks, money mule recruitment (e.g. work at home scams), Nigerian 419 scams, pump and dump stock scams, and malware in attachments or in the destination websites of hostile hyperlinks.

The Russian pharmacies are all template websites run by affiliate spammers, hosted on Russian domains, which end in the extension .ru. There are also some Ukrainian hosted fake pharmacies and dating scam websites hosted on domains ending in .com.ua. If you are able to read the actual destination of a link before you click on it, by hovering, or in plain text, if it ends in .ru, it is hosted on a Russian server, or on an account registered to a Russian citizen. I hope that my readers will not want to subsidize Russian cybercriminals who sell counterfeit drugs or other illicit goods on Russian websites.

Also making a comeback this weekend is an emerging (returning, I believe) pump and dump stock scam revolving around a sub-penny stock with the symbol: BYSD. This stock appears to have been pump and dumped at least once before and is being pumped again, today. Beware of spam messages making outrageous claims about the Bayside Corp stock. It is going nowhere anytime soon, and the only news they have released is to announce a new CEO. Some group has bought up a huge block of their junk stock at .006, or so, and is trying to sucker unsavvy investors into buying thousands of shares at a penny, plus, driving up the price, until the scammers dump all their shares and leave the rest of the investors holding an empty bag.

Continue reading "Spam and email threat roundup for May 19 - 26, 2013" »

Posted by Wiz at 3:54 PM | Permalink

back to top ^

April 18, 2013

In the early hours of April 17, 2013, I published an article detailing an email scam using the Boston bombings as the lure to attack computers with malware. Today, that scam has switched to referring to the fertilizer plant explosion in Waco West, Texas, in the evening of April 17. The links and landing pages are the same as yesterday's.

In today's email attacks, the Subjects have been changed to refer to the Waco explosion in this fashion:

Waco Explosion HD

CAUGHT ON CAMERA: Fertilizer Plant Explosion Near Waco, Texas

Raw: Texas Explosion Injures Dozens

Runner captures. Marathon Explosion

The message bodies still only contain a numeric hyperlink, in plain text. The format of these links is as follows (deactivated for your safety):

h**p://95.87.6.156/news.html

All of today's links have 4 part numeric IP addresses, followed by "/news.html" as of this writing. But, that file name has been changed to "/texas.html" in some recent messages.

Continue reading "Boston bombing email scams morph into Waco explosion scams" »

Posted by Wiz at 10:46 AM | Permalink

back to top ^

April 17, 2013

Tonight, I discovered a new malware attack tactic in the MailWasher Pro Recycle Bin. It was automatically deleted because it matched the conditions I created in a filter I call Exploit Link. In this case, the filter was matched by a numeric IP in the URL, instead of a domain name. Numeric URLs, especially those ending with a .htm or .html file are hostile 99.999999999% of the time. This one sure was.

The email arrived very late, at about 1 AM, Eastern time. Its sender was nobody I know, but it contained this enticing subject:

Explosion at the Boston Marathon

The total content in the message body was only a link, in this (deactivated) form:

h**p://178.137.100.12/news.html     (Don't go there!)

UPDATE; April 17, 2013, at 2:55 PM EDT:

I have now discovered some new numeric links containing the file name "/boston.html" - leading to exploit pages.

This is what is known as a numeric URL or hyperlink. It does not point to any known or registered domain name, just to an IP address. Spammers have set up a malicious web page on some compromised computer or hand held smart device that has been assigned a static IP address (usually by their broadband Internet service provider). In this case, the IP 178.137.100.12 is assigned to a "Kyivstar" GSM mobile broadband customer in Kiev, Ukraine. That IP address is already listed on my Russian Blocklist, under the CIDR 178.137.0.0/16.

UPDATE:
All of the links I have found in these email scams are leading to computers or devices located in Russia, Bulgaria, Latvia, or The Ukraine. This is an attack hosted by criminals based in the Former Soviet Union.

What awaits you at this numeric URL, ending in the file named: news.html?

Continue reading "Malware scammers exploiting Boston bomb tragedy by email" »

Posted by Wiz at 1:21 AM | Permalink

back to top ^

March 20, 2013

As I predicted on March 17, this week is off to a running start for email-borne malware scams. Today, we are seeing an ongoing spam blast with the subject: DHL delivery report - which contain malware attachments.

Here are some identifying words and phrases you should be looking out for, when (not if) you receive this email message.

Subject: DHL delivery report (or similar)
From: "(A spoofed personal name) - DHL regional manager" <[email protected]>

Body Text: (dozens of lines of HTML precede readable text)

DHL notification
Our company?s courier couldn?t make the delivery of parcel.
REASON: Postal code contains an error.
LOCATION OF YOUR PARCEL: New York
DELIVERY STATUS: sort order
SERVICE: One-day Shipping
NUMBER OF YOUR PARCEL: ETBAKPRSU3
FEATURES: No
Label is enclosed to the letter.
Print a label and show it at your post office.
An additional information: If the parcel isn?t received within 15 working days our company will have the right to claim compensation from you for it?s keeping in the amount of $8.26 for each day of keeping of it.
You can find the information about the procedure and conditions of parcels keeping in the nearest office.
Thank you for using our services.
DHL Global

Continue reading "DHL delivery report email scam delivers malware 'packages'" »

Posted by Wiz at 5:27 PM | Permalink

back to top ^

March 19, 2013

Two days ago, on Sunday afternoon, 3/17/2013, I wrote about two email scams that I intercepted, which contained malicious code in their attachments. At that time I predicted that we would see a flurry of malware laden messages this week. It is happening right now.

Today alone, I have analyzed 7 more email scams, all of which either contained malware attachments, or had links to online exploit kits. The last two, at the time of this article, are worthy of me writing about them, to warn my readers against clicking on the links they contain.

I am referring to a new scam that forges the BBC as the sender, claiming that a friend asked for it to be sent to (you). It has language describing an ongoing crisis in Cyprus and contains links pretending to go to the BBC article about this matter. Instead, they take you to the Blackhole Exploit kit.

Here are some of the pertinent details to watch out for...

Continue reading "Malware infected (Cyprus Crisis) emails arriving, as predicted on Sunday" »

Posted by Wiz at 2:29 PM | Permalink

back to top ^

March 17, 2013

After one quiet week, where most spam was for pump and dump penny stocks and fake Russian pharmacies, two malware attachment emails appeared in my inbox on Sunday afternoon. Both are spoofing an ACH or wire transfer transaction being completed.

Subject: Transaction is completed
From: Heidi Summers

Text:
WIRE transaction is completed. $6224 has been successfully transferred. If the transaction was made by mistake please contact our customer service. Payment receipt is attached.*** This is an automatically generated email, please do not reply ***

From: Bank of America

Text:
ACH transaction is completed. $5009 has been successfully transferred. If the transaction was made by mistake please contact our customer service.Receipt on payment is attached.*** This is an automatically generated email, please do not reply ***

Both contain a zipfile attachment, weighing in at about 92.5 kb. A Trojan, with the filename "Payment slip ID-GF-37840.exe" is inside the zip package.

These spam messages are targeted at businesses and were sent on Sunday, for delivery Monday morning, at the start of the business week. This is an earlier than usual beginning of what typically turns into a Monday through Friday malware-laden email blast.

This being tax time in the US and Canada, expect a rush of fake tax payment failed messages. These too are loaded with Trojans, or have links to the Blackhole Exploit Kit.

If you receive such an email, delete it. The coding for the zip file in the two samples above is "inline," indicating that some email clients may actually open the attachment for you, to display its contents. Please don't become another victim. Most of these exploits install Trojans that empty your bank accounts.

Posted by Wiz at 2:46 PM | Permalink

back to top ^

March 8, 2013

The work week of March 4 through 8 has been very dangerous for email recipients, with all manner of malware links and attachments thrown at us. Subjects and senders vary widely, as do the names of the payload files. If you are not super careful, you might be tricked into clicking on a hostile link, or opening a Trojan Horse attachment.

Here are some of the subjects I intercepted over the last 5 days.

• Your AT&T wireless bill is ready to view
• IRS notification of your tax appeal status.
• Order N38956
• Email confirmation for Wire Transfers service
• Please respond - overdue payment
• Re: Fwd: Order confirmation
• ACH Dept. Notification : ACH Process End of Day Report
• You have been sent a file (Filename: Software-60.pdf)
• Transaction is completed
• Your Receipt and Itinerary
• Efax Corporate

Every one of these messages either contained a Trojan attachment, or led to the Blackhole or similar exploit attack kit. Judging by the subjects, all or most are targeted at office personnel. Busy, or unaware recipients who click on the hostile links would have their default web browser probed with JavaScript until it found a vulnerable plug-in, or browser type or version.

Java, by Oracle, is the first plug-in targeted by these exploit kits. This is due to the fact that millions of computers have Java installed, unbeknownst to the owners. If one doesn't even know that they have Java installed, how is one to keep it updated with patches? Java is so exploitable right now, that Oracle has issued three critical patches in 30 days. Add to that the fact that fully patched Java Virtual Machines fell four times in two days, to hackers at this week's Pwn2Own contest in Vancouver, and you have a real minefield for common computer users.

Continue reading "This has been a dangerous week for email recipients" »

Posted by Wiz at 11:13 AM | Permalink

back to top ^

Often, spam recipients ask me and other spam fighters how spammers get their email addresses, despite their being super cautious about with whom they exchange email. They may only exchange messages with a few well trusted contacts or relatives, whose computers are unlikely to be infected, because they use the best security programs, operate as less privileged users and don't have Java installed. They, and/or their trusted email contacts use Yahoo email services and have done so for years without getting spammed.

One gloomy day, out of the ether, an email appears from a Yahoo.com account, with this person's first name in the subject and in the message body! The message is all about a new system their sender is using to reduce his money problems and contains a link to a website that reveals the details. The recipient clicks the link only to discover that it is a work at home scam disguised as a news article.

What this recipient didn't know is that Yahoo's email accounts are constantly under attack by hackers and spammers who try to break into member accounts by either guessing, stealing, or cracking their passwords. In my example, the recipient uses email very carefully, buy is still spammed, allegedly from a Yahoo member, with his or her own name in the subject and body text. These details were extracted when your or your friend's Yahoo account was pilfered during one of the hacking attacks.

I created a special MailWasher Pro spam filter that detects these types of Yahoo spam and flags them for deletion, or closer examination. I will outline that filter below. For the purpose of demonstration, I have changed the personal name used in these spam runs to "joe"

Continue reading "A MailWasher Pro filter for spam using your name, from Yahoo" »

Posted by Wiz at 1:20 PM | Permalink

back to top ^

February 20, 2013

After a period of very low amounts of email spam, the tides have turned and spam is on the rise, once again. The topics being spammed now include pump and dump penny stocks, Russian dating scams, the occasional misspelled Viagra/Cialis pills, and the usual Blackhole malware exploit kits.

Since I use the "Windows Live Mail" desktop email client to compose, send and read my email, and its spam filtering rules are quite limited in scope, I long ago turned to a commercial anti-spam filtering program called MailWasher Pro, as a first line of defense against email spam, scams and malware links and attachments. The program works well enough in its basic format, with the tools built into it. But, I learned that by creating my own spam filters, I was able to identify, flag and delete the vast majority of junk email that is sent to me every day.

One thing I have learned about spammers is that they change or purposely misspell their subjects and body text quite often, to try to evade anti-spam filters that are created by spam fighters and spam filtering companies, to detect various types of spam. Sometimes they reverse or displace letters in known brand name drugs, knowing that most recipients will still interpret the real meaning.

When we read text, our human brains can make sense of garbled words and usually read totally misspelled words accurately. Try it yourself: What does this word really mean: Vigara? How about this one: Cailis? If you live in an English speaking country and read English you'll know what the real words are supposed to be. Your brain processes this information as you gain input from media sources and your interactions with other people.

If you use email for business or other important purposes, reducing the amount of spam for counterfeit drugs and goods, Russian brides, useless penny stocks and especially anything leading to a malware attack should be of utmost importance to you. A combination of MailWasher Pro and my spam filters are a great one-two punch that will make a big dent in the amount of junk email you have to deal with.

Continue reading "Spam for pump and dump stocks, Russian dating and malware increases again" »

Posted by Wiz at 1:44 AM | Permalink

back to top ^

Christmas Eve, 2012

I want to alert my readers to a spam run I saw over the last couple of days and also explain what the purpose of the scam really is. This is a new variation of a long-running scam spoofing both your Post Office and a major brand courier service, leading directly to a malware attack.

This particular variant may well become the template for ongoing spam campaigns, if the success rate is high enough. Right now, 'tis the season to receive gifts and the bait in this email scam may well trap a lot of eager folks who just may be waiting for a promised delivery of a present or online purchase.

It starts with a message claiming to be from either "Worldwide Express Mail," or "Shipping Service," or "Postal Service," with an incomprehensible "tracking" or ID number as the subject. Most have this body text, or something almost the same as this:

Your parcel has arrived at the post office at December 20.Our courier
was unable to deliver the parcel to you.

Best Regards, The FedEx Team.

Here is where wisdom and suspicion are your best friends. The message text contains horrible grammar, and both a reference to a "POSTAL RECEIPT" and to "FedEx." I hope that most of you are aware that FedEx is a courier service and is NOT associated with the "Postal Service," nor do they issue "Postal Receipts." You Country's official Postal Service does that. Yet, almost every email courier scam I have seen over the last year confuses at least two, if not three services: the US Postal Service (USPS), FedEx (a private company) and UPS (United Parcel Service).

If you receive one of these failed delivery scams and you see any sign of confusion about who was supposedly delivering the package, usually accompanied by bad grammar and sentence structure, delete it immediately.

So, if this is a scam, what is the payload and what is its purpose?

Continue reading "Anatomy of an email scam spoofing FedEx and Post Office" »

Posted by Wiz at 12:10 AM | Permalink

back to top ^

December 12, 2012

Today there is a new email scam run making the rounds, spoofing an Adobe order number and download link. The links are malicious, leading to the Blackhole Exploit Kit.

Details:

The email messages in question claim to come from [email protected]. But, so far, the sender's name is usually a capitalized first and sometimes also last name. This is not standard business practice and should be a dead giveaway that something is amiss. Nobody working at a major software company will spell their name with a caps!

The subjects thus-far have been: Order N(5 numbers)

The message body text begins with: "Good (day|morning),You can download your Adobe CS4 License here" - with a link around the word "here." If you read email on your computer you can hover your pointer over links to display the actual destination URL in a status bar that appears on the bottom of the email client. These poisoned links end with: /redirecting.htm - which is a commonly used page name for the Blackhole Exploit Kit. The landing page has the title: "Please wait" and the H1 heading: "Please wait a moment ... You will be forwarded... "

From that point onward, your browser is attacked with obfuscated JavaScript functions, probing for an exploitable version of Oracle Java or Adobe Flash, at the very least, and sometimes other vulnerable software. If you browse with Firefox, with the NoScript Add-on installed and active, set to its default security to disallow Java and JavaScript, unless you specifically allow it, you will not be exploited automatically. But, some attack kits also contain a manual link option that appears when people arrive with JavaScript disabled. If you are offered a manual link (on the page titled "Please wait" ... you will be forwarded) to install a "missing plug-in" (usually Java or Flash), refuse and close the page, then close the browser. Then update your security program and scan for threats that might have slipped in during the attack.

Unfortunately, many mobile phone users don't usually have this hover function that would alert them to poisoned links. You would have to be using a mobile browser or email reader that contains a hover to display function, or else pray that your device is not targeted by the exploit kit at the other end of the click.

Continue reading "Emails spoofing Adobe order numbers have links to Blackhole Exploit Kit" »

Posted by Wiz at 12:14 PM | Permalink

back to top ^

October 23, 2012;

Spam email containing malware in attachments is nothing new to most of us Netizens who have been online long enough to have our email accounts harvested by spammers. Most of the time we have to take a close look at the content of any email message to see if it might be a scam, even if it comes from a sender whose name or company we recognize. Not so with the spam message I received around midnight Oct 22, 2012.

Most of us have received email scams spoofing UPS, or FedEx, other courier services and some can be pretty convincing. But I have to rate this message with a BIG FAIL! You have to read this mangled English text that I found inside a scam spoofing both UPS AND FedEx.


From: "ups" <[email protected]>
Subject: Your Package FE N75985662

Body text:
fedex.com|Ship|Track|Manage|Office/Print Services (missing hyperlinks, just text!)

We apologize, but it seem so, that we not can deliver your package. One of our trucks is burned tonight. In attachment you can find a form for insurance. Please fill it out and send it us urgent, because we must told amount of damage to the Insurance company.

If you looked at the From field in your email client, it would clearly claim to be from "ups" and "[email protected]." Note the Subject, which contains an alleged shipping code beginning with "FE" - belonging to FedEx, not UPS! This shows confusion on the part of the spammer who composed the template for the spam run.

The message, when opened, is missing some of the images it tried to steal from the FedEx servers. But, the best giveaway that this is a scam is the horrible English grammar in the hook text. It is so poorly worded that a 10 year old should see it as a scam. Check out these badly worded phrases:

1. but it seem so...
2. One of our trucks is burned...
3. In attachment...
4. send it us urgent...
5. we must told amount of damage...

The attachment in this case was a Zipfile named "Fedex_ID99278-3P.zip" - containing a malware backdoor installer and Trojan loader, called "W32.Cridex" by Symantec.

For your own safety, when you receive email messages, note the Sender's name, email address and domain, subject and body text. If the message claims to come from a company, the names should be consistent in all of these areas. No matter what language it was composed in, the grammar should be correct and businesslike. No actual company with a known brand name will ever send out an email with such horrible use of language/grammar as the above example.

Always keep an anti-malware or anti-virus program active on all of your computers and smart phones/tablets that connect to the Internet. But, you are the first line of defense against scams. Use the common sense God granted to you when reading email messages! Many spammers and scammers are located in distant Countries and English is not their first language. Some may even use dictionaries to translate templates composed by other spammers, who are usually located in Eastern Europe. Poor grammar and spelling is a dead giveaway that the message is a scam of some kind.

Posted by Wiz at 11:54 PM | Permalink

back to top ^

October 17, 2012

Malware purveyors are busy this week, distributing email scams containing either links to, or attachments containing malware. Thus far, since Monday this week, I have seen several company brands being spoofed to try to fool recipients into clicking on links leading to the Blackhole or Phoenix exploit kits.

These exploit kits are professionally written to take advantage of vulnerabilities in commonly deployed software that interacts with web browsers or email clients. The primary target is Java technology, which is now owned and maintained by Oracle.

Typically, the first round of scams arrive on Monday mornings and spoof business brands such as Intuit, or UPS, or USPS, or scans from an HP ScanJet, or fake invoices, or bogus schedules for company meetings. All of the above arrived in my inbox on Monday and Tuesday. On Wednesday, the brands being spoofed are UPS, LinkedIn and Facebook. They follow particular scam patterns that give them away to people who are aware and use caution before clicking on links.

The Tell-Tale Patterns

Continue reading "Watch out for more malware link email scams this week" »

Posted by Wiz at 11:44 AM | Permalink

back to top ^

October 11, 2012

We are now 1/3 the way into October and there is no letup in the volume of malware infested email scams flooding our inboxes. When I refer to malware delivered via email, most of it is in the form of links to compromised websites that are hosting the Blackhole Exploit Kit and other similar badware.

Because of blogs like this one, many computer users are wary of clicking on links in unexpected emails. This is especially so if they have taken my advice and read the destination URL in the status bar of your email client, while hovering without clicking on links. The hovering typically causes the bottom status bar to (appear and) display the actual URL in any hidden HTML codes. This will contradict any fake anchor text, or the spoofed company's domain name, in of most spam emails that are written to trick unwary users into clicking without thinking it through.

For example, if an email claims to be from CNN Breaking News, yet, when you hover over the links the status bar shows something like the following, it is a spoofed link, probably leading to an exploit attack kit:

h**p://strange-domain.de/FME2kA9/index.html.

"Index.html" is a favorite file name for the Blackhole purveyors. A few use the variation index32.html, while another poisoned link template uses the destination file name: "forwarding.htm."

In order to attack the more cautious email readers who don't blindly click on links, some scams pack their malicious codes into attachments that the reader is encouraged to open. One usually sees these malware laden attachments in the emails that pretend to contain a (sometimes forwarded) scan from an HP ScanJet; like this example from earlier tonight: (Subject) Re: Fwd: Scan from a HP ScanJet #14191476. That email contained an attachment named: "HP_Document.zip" that when opened would exploit some vulnerable, unpatched software you might have installed (like an outdated version of Adobe Reader, Acrobat, or Flash), launching an exploit attack on the user's computer.

A third method of exploitation is by embedding hostile scripting and invisible iframes into .htm attachments. Recipients are then urged by the spammers to open those files in Internet Explorer. Doing so launches all of the Blackhole or Phoenix exploit codes that are normally served from remote, compromised websites, or hostile malware servers.

Continue reading "Malware links and attachments flooding email inboxes in October" »

Posted by Wiz at 1:03 AM | Permalink

back to top ^

Sept 19, 2012

So far today I have received 14 spam email messages, which is way down from the typical two dozen or more. However, of those 14 messages, 10 contained either attachments with, or links to the BlackHole Exploit Kit. The payload for those successfully exploited was the Zeus (Game Over) banking Trojan.

Here is the breakdown of those scams, listed by the brand being spoofed:

• ADP Client Services: 4 scams


• Better Business Bureau: 2 scams


• Facebook Notifications Pending: 1 scam


• American Express Forgotten ID: 1 scam


• Your Flight Order: 2 scams


• The remaining 4 were 1 work at home scam and 3 for Russian fake pharmacies.

Continue reading "Email spam on September 19 was all about malware links & attachments" »

Posted by Wiz at 9:24 PM | Permalink

back to top ^

This is a short blog post to point out a trick being used by blog spammers to test to see if their comments have been published or not. It has been appearing in my blog's activity log for at least a half year, or longer.

Most comment and trackback spam is in the form of links to fake online drugstores (selling counterfeit prescription medicine and lifestyle drugs without a prescription), or bogus weight-loss remedies, or counterfeit watches, or work at home - money mule scams. My solution to that type of junk was simple: I turned off Comments and Trackbacks on my blog!

Despite these features being turned off, online spammers routinely search my blog for the same two numbers in sequence. These numbers and characters are: 1 and -1'. The code I see in my raw access logs is actually the following:

GET /cgi-bin/mt/mt-search.cgi?includeblogs=-1%27&search=1&
GET /cgi-bin/mt/mt-search.cgi?includeblogs=1&search=-1%27&

These two searches always appear after a GET for one of my blog article pages, or categories or dates. These searches never lead to a results page. Still, they keep searching, in vain. Blog spammers are a dumb lot of morons, usually based in Latvia, Russia, the Ukraine, or some other former Soviet Union country. English is not their main language and in fact, they may not read it at all. But, most can recognize the number 1, or -1'.

If you run a blog and allow comments and trackbacks, moderate them before allowing them to appear. Google is cracking down hard on blogs and forums that contain lots of spam comments and trackbacks. If you have a lot on your blogs, delete them and set all future comments to be moderated. Install an anti-spam module also, to reduce your workload. Or, if like me you don't want user feedback, just disable Comments and Trackbacks!

Posted by Wiz at 9:47 PM | Permalink

back to top ^

August 9, 2012

I decided to compile some statistics tonight to see where most spam links are leading at this point in time. It is no surprise that of 126 spam messages deleted over the last 7 days, 89 had links to Russian domains (.RU websites). This equals 70.6% of all spam I received.

So, what is being spamvertised by those 89 spam messages? Fake pharmacies! Every single email spam message in my deleted items (MailWasher Pro Recycle Bin) that contains a link to a Russian domain is promoting counterfeit prescription drugs, sold without a prescription. Some claim to be "From" Canadian Pharmacy. Others claim to be "From" Viagra or Cialis. That's funny; I didn't know that little blue pills could use computers, type and send email messages!

In case anybody reading this isn't already clued in, these pharmacies being spammed are totally bogus. The domains (website names) are all registered in Russian, by Russian citizens, or persons living and doing business in Russia, who can show a valid Russian ID. (That is a legal requirement to obtain a .RU domain name). Russian criminals run affiliate programs for fake pharmacies, that are open to spammers from various countries.

If you receive an email that touts Viagra, Cialis, male enhancement or weight loss drugs, containing a link to a .ru domain, it is a scam. The drugs are counterfeit and made in Asia. The factories producing them are not monitored for quality control and correct dosages. These drugs can harm or kill you, or do nothing at all.

Of the remaining 37 spam emails, 18 had links leading to the BlackHole malware exploit kit. 14 were promoting work at home and money mule scams, 1 was a fake casino and 4 were for fake diplomas. The BlackHole kit exploits vulnerable, unpatched plug-ins for your browser, such as Java, Flash, Adobe Reader and some recently patched Microsoft components. The fake diplomas may not help you get hired, but will certainly get you fired, once it is discovered that you submitted a forged document.

As for the fake casino; a fool and his money soon will part!

Finally, the money mule and work at home scams are as nasty as the BlackHole, in that they steal from you. Work at home scams get you to pay up front for worthless information that brings you nothing but a charge on your credit or debit card. The money Mule scams recruit hapless people into money laundering and stolen goods schemes that can land them in jail.

My statistics were obtained from MailWasher Pro, which is a spam filtering email program that sits between your email servers and your desktop email client (a fancy word for a stand-alone email program). I write custom spam filters that can be imported directly into MailWasher Pro. The combination of my filters and the ones built into the program usually auto-delete 95% of incoming spam, or more. I have to look through the program's Recycle Bin to see what has been deleted and see the links, come-ons and source codes used in the various scams employed by professional and novice spammers.

If you aren't using MailWasher Pro, or some other spam filter, just hover your pointer over links, or look at what they say, before clicking on them. If a link goes to a .RU domain and the Subject, or From, or Body text promotes any kind of drugs, enhancers, or weight loss, the message is junk-mail and should be deleted without further ado. If you hover over a link that claims to go to an invoice or transaction report from some named company, or government agency, hovering over the links should reveal the actual destination in a status bar on the bottom of the browser or email client.

BlackHole exploit links always go to a domain totally unassociated with the one being spoofed in the message body. Some exploit links go to numeric domains, rather than ones having names. No matter which, don't click if the plain text domain link doesn't match the actual destination revealed when you hover! Any brand name can be spoofed by email scammers looking to deploy more spam-bots and banking Trojans.

Posted by Wiz at 1:27 AM | Permalink

back to top ^

July 30, 2012

Almost everybody who sends and receives email has to deal with spam, scams and security threats that are delivered by spammers and their botnetted computers, every day. Manually sorting through email subjects to detect and delete spam is time consuming and not always effective at first glance. It is more efficient to let my spam filters do the work for you.

Many people choose to use their web browsers to "do" email, which leaves them at the mercy of their email provider to filter out spam. Countless others prefer to use a real, desktop email client to compose, send and receive email, using the POP3 or IMAP email protocols. If you are in the second group and are using a real email client, like Windows Live Mail, adding MailWasher Pro and my custom MailWasher spam filters can reduce the amount of spam, scams and malware threats getting through to a few percentage points.

I currently have published almost 150 spam filters for MailWasher Pro users to download freely and apply to their copy of the program. These spam filters cover both the old version 6.x (last version is 6.5.4) and the new XML versions starting with v 2010. Only the new version is under development now. MailWasher Pro is currently at version 2012 - 1.20.1

Although I have created and published about 150 filters, in reality, only a few are needed nowadays to block most of the current crop of junk email. I shall list these filters below, along with the types of spam that they are able to detect and delete. Note, that in the new version of MailWasher Pro, automatic deletion occurs when a certain spam rating number has been reached, or, if you decide to set one or more filters to automatically delete messages matched by those filters. Some of my filters are set to what I call "Judge Dredd, Murder - Death - Kill" settings; meaning they auto-delete anything matching their conditions. The MailWasher spam filters can include both plain text and regular expressions matches and are very powerful.

Continue reading "How to block most spam with a few of my MailWasher Pro filters" »

Posted by Wiz at 7:56 PM | Permalink

back to top ^

July 18, 2012

After a week where spam for pharmaceuticals, fake diplomas and replica watches dominated inboxes and junk folders, malware scams have resumed with a vengeance. These are spam email messages that either contain malware in an attached zip file, or a link to a malware server.

The recent email malware scams I saw, over the last 7 days, are spoofing the following brands or senders with these subjects:

UPS: "UPS Tracking Number H8087145257" - "UPS Tracking Number H1284336147"
UPS and USPS together: "Your Tracking Number H6497226598"
Sprint: "Your Sprint bill is now available online"
LinkedIn: "Join My Network on LinkedIn"
US Air: "Fwd: Your Flight US 896-119520"
Bank Account Operator: "Fwd: Wire Transfer Confirmation (FED_2732L45075)"
LiveJournal.com (UPS spoof): "Your Tracking Number H6302300603"
Post Express: "Delivery status is required urgent confirmation"
LinkedIn (UPS and USPS): "United Postal Service Tracking Nr. H9486128170"
Customer Support ups: "UPS Tracking Number H7383353854"
Habbo Hotel: "UPS: Your Package H4869590295"

As you can see, scams spoofing UPS and the USPS are the most common at this time. All of the above scams either contain malware exploit codes in an attachment (e.g. "MYUPS_N230250.zip"), or at the end of a redirected link to a BlackHole Exploit Kit server. Both methods use JavaScript codes to probe your web browser or email client for vulnerabilities, or exploitable plug-ins/extensions, or basic components. The ones being targeted the most this week are: Windows Help Center URL Validation Vulnerability, which was patched on July 13, 2010, as well as numerous vulnerabilities in the Java Virtual Machine, all of which have been patched by Oracle Java updates, plus the Microsoft XML Core Services Vulnerability just patched on July 10, 2012. Finally, some versions of the BlackHole Exploit Kit also probe for a vulnerable and exploitable version of Adobe's Reader. Acrobat and Flash software. Previous versions also sought to exploit Adobe Shockwave and Air.

Let's analyze one of the LinkedIn malware scams I received just today.

Continue reading "More BlackHole Exploit Kit attacks spoofing LinkedIn, UPS, USPS" »

Posted by Wiz at 2:43 PM | Permalink

back to top ^

July 10, 2012

UPS, USPS and other courier name email scams are nothing new. We've seen UPS, DHL and FedEx spoofed for several years in various malware campaigns. The payloads are usually delivered via malware laden attachments, disguised as invoices, shipping labels, or pickup instructions, which the victim is supposed to open and print out. This week there is a new twist to the courier scams: clickable images containing a message and instructions to click to "print a shipping label."

The scams I have intercepted over the last two weeks or so spoof two services in the same message: UPS (United Parcel Service) and USPS (United States Postal Service). Either the spammers who write the text for these scams aren't aware that these are two different entities, or are counting on recipients overlooking this fact and falling for the bait due to recognizing the names.

In either case, the purpose of these messages, like those before them, is to infect unwary email recipients with Trojans, like the ZeuS bank account stealing malware, a botnet installer, a backdoor remote controller, and sometimes, fake security programs that demand money to fix non-existent problems (the pop-up desktop alerts are fake and themselves are the problem!), or fake FBI or other Police notices which hold the computer hostage until a ransom is paid for alleged bad behavior.

The courier scams are sent in bulk to everybody (via botnetted PCs), but are really targeting businesses and people who frequently send or receive goods via UPS or USPS, like eBay buyers and sellers. The criminals responsible (in Russia) are hoping that a busy secretary or shipper will open the attachment, or click on the link without thinking it through, or reading all of the text carefully (for giveaway typos or mixed up brand names).

Next, let's take a look at the image being used in the latest incarnation of the UPS/USPS email scams.

Continue reading "Image links now being used in USPS email malware scam" »

Posted by Wiz at 11:05 AM | Permalink

back to top ^

6/10/2012

I just received a spam email in my Junk folder, which claimed to come from Foursquare ([email protected]). The Subject is: "Ailsa Hill is now your friend." The body text said: "Hey there - Just a heads up that Ailsa Hill has approved your friend request on foursquare." If get one of these, no matter what the name is, be suspicious. Here's why...

I opened the "Properties" of this email so I could read the actual headers and found the following details.

The From: foursquare <[email protected]> line is fake, spoofed. here's why:

The final "Received from" line is not from foursquare.com, nor from Amazon, their web host. Rather, the sending server was: serveur.maven2-20.com ([46.105.104.199]). Running a Whois on that domain reveals that it is hosted in France, on OVH Systems, a web hosting provider. There is no website configured at that IP, or domain, just a few files.

Also, the following line was inserted by the mail server that delivered the message to my account: X-AUTH-Result: FAIL

So, the email definitely did not come from Foursquare. It is spam or a scam. Who did send this message and why?

Let's look at the links hidden in the message source to find out where they lead.

Continue reading "New email scam spoofing Foursquare leads to Russian fake pharmacy" »

Posted by Wiz at 3:07 PM | Permalink

back to top ^

May 16, 2012

This article is about cybercriminals taking email exploit attacks to a new level. Tonight, I processed an email scam (to SpamCop) that claimed to come from a service known as 'Bill Me Later' - detailing an online payment I was supposed to have made over the phone. Except, my name is not Dr. Mary Olsen, MD!

The message, which was carbon copied (CC) to dozens of other recipients (whose email addresses were viewable in plain text), started off with the following totally fake text:

"Thank you for making a payment over the phone! We've received your
Bill Me Later® payment of $60.12 and have
applied it to your account."

The scam goes on to list various account numbers and (fake) payment details. It was also loaded with images and clickable links (20) to view many details, including:

Manage your account, Make a payment, View statements, Account Summary, Home, Make a Payment, About Bill Me Later, Offer, Directory, View Statements, Merchant Sign Up, Store, View Account, Summary, FAQs, Register Account
and 4 image links.

What is astoundingly different about this scam is not just the unusually high number of links leading to an exploit kit, but the fact that they all led to different domains. Normally, I see one or two domains used in hostile link scams. Twenty different compromised domain links is a new record for me.

Each one of these 20 links (see compromised website list) leads to a different website, to a sub-directory (folder) containing 8 mixed case alphanumeric characters, then, /index.html. Here is one sample URL (deactivated for your safety): h**p://webprof.ro/Tv2YU8u6/index.html

Continue reading "Spoofed 'Bill Me Later' email has links to 20 Blackhole exploit websites" »

Posted by Wiz at 10:23 PM | Permalink

back to top ^

After taking a month off from publishing my spam statistics, I am resuming it today. I have been watching spam trends during my quiet month and found that the volume of spam is increasing. This, after a year of declining spam volumes.

I have added up all my incoming email and counted those classified as spam, and found that in the last week, my percentage of spam has been almost 40%. During the same period last year, it measured just 30%. This is a 10% increase.

I measure the amounts and types of spam with MailWasher Pro (2012), which compiles very good statistics for its users. If you don't already know about this program, it is a spam filter and email classifier, which sits between your email servers and your email client. It receives either POP3 or IMAP email from your mail servers and applies any filter or blacklist rules you define. I write and publish spam filters for MailWasher Pro and most of them are so reliable that I set them to automatically delete known spam. In case the filters are in error, I am able to restore the wrongly deleted messages from the MailWasher Recycle Bin.

While the volume and percentage of spam has increased over the last 7 days, an interesting development occurred: there was no spam with either malware links or attachments! In the previous weeks there were many such hostile messages, spoofing all manner of known websites and banks. Make no mistake, the malware scams will resume soon. Stay alert, especially if you have Java, Flash, or Adobe Reader installed on your computers or smart phones/tablets.

I always advise my readers to hover over links before clicking on them. Doing this causes the actual URL (web address) to be displayed on the bottom of your browser (Web-mail) or email client (desktop email program). This gives the savvy user a chance to see if the link claiming to lead to Intuit actually goes to a website that has nothing to do with intuit.com, or facebook.com, paypal.com, linkedin.com, etc, etc.

On the other hand, clicking (without hovering first to check it out) on a poisoned link takes you to a compromised website, which uses JavaScript and iframes to redirect you to a Russian malware server, where your computer is attacked for any vulnerable software. If you have any exploitable, unpatched software installed, your computer may be taken over by criminals and drafted into a spam and attack botnet, and have malware installed which steals money from your financial accounts, or extorts money from you to fix non-existent problems.

Let's move on to the spam analysis for the week...

Continue reading "My spam analysis for May 6 - 13, 2012" »

Posted by Wiz at 1:23 PM | Permalink

back to top ^

It appears that no matter how many cyber criminals get busted, or botnet command and control servers are taken offline, there is always another scam waiting to take their place. So it is in the case of email scams leading to malware attack kits.

The words and phrases in the subjects and message bodies used by scammers over the last few years has been morphing. We still see some of the old topics being used; recycled is a better word. But, new subjects and message bodies are being developed by clever copy writers who are employed by malware distributors. I want to share some of the recent social engineering topics and hook lines that I have seen in spam/scam emails that are detected by MailWasher Pro and subsequently reported to SpamCop.

The most recent scam is one I don't recall ever seeing before. It seems to target business owners who might hire accounting firms to take care of their books and taxes. It is a very clever scam, leading to huge exploit kit, containing over 18,000 bytes of JavaScript codes. Included are over 2 dozen script tags, most of which probe your browser and computer for exploitable plug-ins, like Java, Flash, Adobe Reader and Internet Explorer's ActiveX. If the victim's browser has any of the vulnerable versions of these plug-ins installed, silent exploits take place, resulting in the PC becoming a zombie in a spam and attack botnet. They are also treated to a free installation of a bank account stealing Trojan and maybe even a free scan from a fake anti-virus scanner that demands money to remove the fake detections and the barrage of warnings it fires at you.

Here then are the subjects and message contents of some email scams I analyzed today.

Continue reading "New social engineering tricks used in email malware scams" »

Posted by Wiz at 5:04 PM | Permalink

back to top ^

We are just 1/3 month into the second quarter of 2012 and we have had a lot of security vulnerabilities, threats attacking them and program patches released by major software companies. These patches include Windows Updates, Mac (Apple) Updates, Adobe Flash, Air and Reader, Oracle's Java Virtual Machine, Internet Explorer, Firefox, Safari and Chrome browsers, Real Player and iTunes.

All of the software updated by these companies, over the past three months has suffered from highly critical security vulnerabilities, many of which are now being actively exploited by cyber crime gangs who publish exploit attack kits. Java exploits are almost always the first types of exploits targeted by crimeware kits, like the Russian Blackhole kit.

Some of you may be wondering how these exploits are delivered to your computer in the first place. The most common method of luring potential victims to scripted exploit kits is via cleverly crafted, hostile email spam messages. These hostile spam messages differ from standard commercial spam in that they aren't trying to sell you counterfeit pills, watches, or pirated software. Rather, they use well constructed come-ons to con or panic recipients into either opening attached files containing Trojans or JavaScript codes redirecting your browser to a malware server, or clicking on obscured links to compromised websites.

After one clicks upon such a link, the scripts on the compromised landing page usually redirect you to other compromised websites and scripts, until you ultimately arrive at a distant server owned by cyber criminals, often in Eastern Europe. These servers use domains registered in places like Russia and the Ukraine to launch exploit kit attacks on your web browser and its add-ons and plug-ins, with Java plug-ins leading the pack. Adobe Reader (PDF files) and Flash are major secondary targets, followed by iTunes and Quicktime, Microsoft Word and just about any popular software that can be used to gain access to the operating system.

This is why reputable software companies release security updates on a more or less regular basis. Microsoft releases Windows Updates almost every month, on the second Tuesday of the month. Adobe has agreed to also release any critical patches on the same Tuesday. This has become known as Patch Tuesday. Make a note of this and if you have a Windows computer running XP with Service Pack 3, or Vista, or Windows 7, or Windows Server 2003 or newer, set your Automatic Windows Updates to check for updates at least every Tuesday, at the equivalent of 2 PM Eastern time for your time zone. Accept all updates rated Important or Critical. Reboot after all updates are installed and log back into an administrator level account to ensure that any further processing takes place, before logging into a less privileged account.

Note: There have now been four Patch Tuesdays so far in 2012, with the most recent being April 10, 2012. If you have not run Windows Updates this week, do so now. Two very serious vulnerabilities were patched this week. One is for Internet Explorer and the other for Microsoft Word. Exploits are now in the wild for both vulnerabilities.

Continue reading "Security threats and program patches for 1st quarter of 2012" »

Posted by Wiz at 10:10 PM | Permalink

back to top ^

There is an ongoing spam campaign that I have been following since August 24 2011, pretending to be Facebook Friend Requests. However, all of the links contained in these scams lead to compromised websites, where your browser is attacked by criminal exploit kits, like the "Blackhole" or the "Nuclear" exploit kits.

If you are a member of Facebook and receive Friend Requests from senders with odd sounding names, you need to do something proactive before clicking on any links in those emails. You need to hover your mouse pointer over all buttons, images and text links, without pressing any mouse buttons (do not click!). Then, with your pointer over these links, look down at the "Status Bar" on the browser, or message window, or preview pane in the email client you are using, and look carefully at the URL being displayed.

The links and buttons in the Facebook Friend Request scams look like any other Facebook request, with a few exceptions. The photo of the alleged requester is missing, showing an outline of a shadowy head. When you hover over the picture, or name, or the Confirm Request buttons, or the Unsubscribe link, all of the links will be obviously fake, leading to anything other than facebook.com. Furthermore, for the last couple of months, the links are unbelievably huge, occupying multiple lines of codes. Herein lies the weakness in the scam.

Furthermore, Most of the scams spoofing facebook Friend Requests lack the line under their name, showing the person's statistics. E.g. 37 friends · 29 photos · 13 Wall posts. A real Friend Request contains these stats.

Making sense of what appears senseless
I am going to impart some WIZdom to you to bring you up to speed on the nature of the hostile links in the current (April 2012) fake email Facebook Friend Requests.

Continue reading "Fake Facebook Friend Requests with huge links lead to malware exploit kit" »

Posted by Wiz at 1:03 AM | Permalink

back to top ^

This past week I saw a significant drop in the amount of spam I received and a shift in the top category. For the first time in probably a year or more, Nigerian 419 scams topped the list for most spams received. Gone completely was any spam for fake casinos!

Second place went to replicas Chinese watches that rip off legitimate name brands, like Breitling. This was closely followed by spam for fake pharmacies and bogus diplomas. Drugs bought from fake pharmacies, if they ever arrive, will do you no good and may actually harm you. Buying fake diplomas won't necessarily get you hired, but they will get you fired, once your deception is discovered during routine background checks.

Runners up in spam were Russian domains pushing counterfeit goods and drugs, work at home scams, weight loss pills, male enhancement, Cialis and Viagra and three malware link scams.

The malware threats from last week were all fake Intuit invoices, with links to read invoices online. Those links all led to exploit attacks against browsers and their add-ons and plug-ins. If you clicked on a link in an email claiming to come from Intuit, scan your computer for malware Trojans and Bots. You can use a free 30 day trial copy of Trend Micro™ Titanium™ Internet Security, if you have nothing else that is current for virus detection.

The following represents my email totals and spam percentages by category. All results were obtained from MailWasher Pro, which I use to filter out spam before I download any incoming email to Windows Live Mail.

Continue reading "Wiz's email spam & threat analysis for the week ending March 11, 2012" »

Posted by Wiz at 1:29 AM | Permalink

back to top ^

This past week saw some changes in position in the main categories of spam and threats contained in some of them. There were far less malware messages than usual. Diplomas, drugs and casinos filled the top categories, with the percentages listed further down this article.

First off I will detail the malware threats I captured this week. There was 1 scam spoofing a QuickBooks update and Intuit. This contained a hostile link to a malware exploit kit. I saw one each of fake Facebook Friend Request and a fake map to a meeting scam, with a link leading to the same Blackhole Exploit kit as the Facebook scam. One email scam claimed my credit card was blocked and invited me to open the report in the .htm attachment. Another claimed I had a DHL package that couldn't be delivered because the address was wrong. Like the fake credit card message, it contained a malicious JavaScript redirect and iframe load in the attached .htm file.

The danger lies in opening those .htm attachments, which some of the messages tell you is an Internet Explorer file. When you open those files the JavaScript codes inside them are executed immediately and you are attacked silently. If your computer has an unpatched vulnerable version of Java, or Adobe reader or Flash installed, your PC will become botted and a copy of the Zeus banking Trojan will be installed.

Last, there were 2 scams spoofing BBB complaints against me. Sadly, for anybody fooled into clicking on the links, to read the "COMPLAINT REPORT" - they got JavaScript redirected twice, ending up at, you guessed it: the Russian Blackhole Exploit Kit.

Here then are the details about this past week's spam percentages, listed by category.

Continue reading "Wiz's email spam & threat analysis for the week ending March 4, 2012" »

Posted by Wiz at 3:21 PM | Permalink

back to top ^

For the fourth week in a row my percentage of spam has remained around the 25% mark. This percentage is almost identical to the same period last year. Further, my total amount of email received was up about 12% from last week, as was the amount of spam.

This week, the highest percentage of spam this week, like last week, was for fake pharmacies. Closely following was spam for fake casinos, then male enhancement scams, with replica watches in 4th place. The category of malware fraud was much lower and covered four types of scams: the BBB, NACHA, ACH and JavaScript redirects to exploit kits in attached .htm files in phony Certified Account membership termination warnings.

I was kept busy updating my spam filters for MailWasher Pro, which is the program I use to intercept spam before I download it to my Windows Live Mail email client.

The following is my analysis of spam for the week of February 20 - 26, 2012.

Continue reading "Wiz's spam analysis for the week ending Feb 26, 2012" »

Posted by Wiz at 12:08 AM | Permalink

back to top ^

For the third week in a row my percentage of spam has remained around the 25% mark. This is 9% less than the same period last year. The categories ranking highest have shifted again, as new spammers try their hand at the sucker trade.

This week, the highest percentage of spam went to fake pharmacies, most notably, the resurrected so-called Canadian Pharmacy. This affiliate program died in 2010, but new Russian based pharma-scam affiliate programs have spouted up to take its place.

The second most spammed category was fake casinos, then malware attachment or link fraud, closely followed by replica watches. The malware fraud covered four types of scams: the BBB, NACHA (ACH fraud), the FDIC and malware JavaScript redirects to exploit kits in attached .htm files from spoofed Xerox Work Center scans.

The goal of these fraud email messages is to draft victim computers into a spam botnet, as well as to install bank account stealing Trojans. Other forms of document theft are being carried out by one Trojan type in the wild. Office documents are being stolen and uploaded to cloud servers, then gleaned for useful information or company secrets.

The following is my analysis of spam for the week of February 13 - 19, 2012.

Continue reading "Wiz's spam analysis for the week ending Feb 19, 2012" »

Posted by Wiz at 1:18 AM | Permalink

back to top ^

For the second week in a row my percentage of email spam is at about one quarter of all incoming mail. My total volume of email increased by 70 messages, from last week, with those deleted as spam increasing by 25.

For the second week in a row spam for replica watches (ripoffs of name brands) led the pack, with over 23%. All of the websites promoting these fake watches were hosted on Russian domains and are part of a Russian spam affiliate program.

The second most prevalent category of spam this week was promoting male enhancement pills. Casino (fake) spam took third place. It was just a few weeks ago that casino spam was the top category.

Missing entirely this week was spam for Russian brides and work at home scams. Those categories were heavily represented just a few weeks ago.

Also, spam leading to the Zeus banking Trojan through scams spoofing the BBB, or ACH, or FDIC, or Intuit are way down this week. Many of the people running these scams are now under arrest, or have warrants for their arrest, or are under investigation by local authorities in their own countries (all Eastern Europeans, Ukrainians and Russians).

The following is my analysis of spam for the week of February 6 - 12, 2012.

Continue reading "Wiz's spam analysis for the week ending Feb 12, 2012" »

Posted by Wiz at 2:08 PM | Permalink

back to top ^

After several weeks of overall decline, my percentage of email spam has again decreased, this time by 4%, for the week ending February 5, 2012, to about 25% of my incoming email. My actual amount of email received, good and bad, was lower than the previous week, by about 54 messages. 85 messages were classified as spam, which is 43 less than the previous week.

The types of spam have drastically shifted over the past few weeks. Last week and several weeks before, Casino spam led the pack by a long shot (pun). These are scams asking you to download a suspicious executable to play their crappy games and lose your money and bank card details. Apparently, these scams are being shut down and what remains is small potatoes compared to two weeks ago.

The new leader in junk email is (...drum roll...) Fake/Replica Watches. These knockoffs are sold on Russian domains and websites hosted on compromised computers. The spam affiliates are about to learn that their primary spam portal for counterfeit goods is closing. Doh!

Interestingly, spam containing links to malware was way down, with just three email messages using URL shortener services to deliver payloads disguised as free tickets, vouchers and iPhones.

The following is my analysis of spam for the week of January 30, through February 5, 2012.

Continue reading "Wiz's spam analysis for the week ending Feb 5, 2012" »

Posted by Wiz at 11:42 PM | Permalink

back to top ^

For the third week in a row, the percentage of spam to all of my accounts has dropped. This time it decreased by 9% from last week, which is a significant decline and might signal a trend (one can only hope).

My total email received this week is up by 81 from last week. But, the volume of spam only increased by 28 messages. I noticed a big increase (pardon the pun) in Male Enhancement pill scams and a slight increase in the amount of the phony "ClubVIP" Casino spam.

Happily, there was a significant drop in the number of spam messages containing links to malware. These scams typically pretend to be failed or pending ACH transaction notices from NACHA, or a bank. There have been some very significant arrests and naming of suspects who are behind many of the top botnets, including the KoobFace gang. Many of the persons named or arrested, or on the run, are Russian, Romanian and Ukrainian citizens who are responsible for installing banking Trojans onto victim's computers. My guess is that the remaining active bot masters are laying low right now, until the heat dies down.

The following is my analysis of spam for the week of January 22, through 29, 2012.

Continue reading "My spam analysis January 22 - 29, 2012" »

Posted by Wiz at 2:12 PM | Permalink

back to top ^

After surging around January 1, my level of spam has shown signs of decreasing. It has dropped 2% from last week, making spam 38% of my total incoming email, from January 16 through 22, 2012.

In addition to the percentage drop, there was also a large drop in the actual number of messages classified as spam. In fact, I saw about 50% fewer spam email messages this week as compared to the previous week.

The email threats this week were mostly BBB Fraud, with links to fake complaint reports, which redirected to malware servers. There were also several miscellaneous scams with fake query strings appended to .htm files. These links lead to compromised websites and redirected to the Russian Blackhole Exploit Kit. People with JavaScript enabled and out-dated versions of the Java Virtual Machine installed would be exploited silently. Their PCs would become members of a botnet and begin spewing out spam and DDoS attacks. Some of these exploits also install bank account stealing Trojans.

The following is my analysis of spam for the week of January 16, through 22, 2012.

Continue reading "My spam analysis and threat assessment for 1/16-1/22, 2012" »

Posted by Wiz at 2:44 PM | Permalink

back to top ^

I just compiled my personal spam statistics for the 2nd week of January, 2012 and found that spam accounted for about 40% of my incoming email. This is down 4% from the same period last year, but 1% higher than the previous week.

The leading category by a long shot was for the fake ClubVIP Casino. There is no website with such a name, just a bunch of various recently registered domain names that all point to fake casino pages. As was the case last week, these casino pages display an image that is wrapped in a hyperlink, which leads to the downloading of a suspicious executable. Once you install that file, you will part with a lot more money than if you shot craps at a real casino.

The second highest spam category was for fake (replica) watches, followed by counterfeit Cialis and Viagra. All other categories had smaller percentages, as outlined in my extended comments.

These spam statistics are derived from MailWasher Pro, which is a POP3 email screening program that runs on a Windows desktop. It intercepts all incoming email and analyzes it, based upon several factors, the most prominent of which are my own custom spam filters.

Total incoming email from January 9 through 16 (4 PM EDT): 516
Good mail: 308
Classified as spam: 208
Percentage rated spam: 40.3%

Continue reading "My spam analysis and spam filter updates, for Jan 9 - 16, 2012" »

Posted by Wiz at 3:23 PM | Permalink

back to top ^

For the second week in a row, my email spam percentage has exceeded the amounts recorded during the last quarter of 2011. At 39% it is 7% higher than the same period last year. I will review the various percentages of spam by category, as obtained from my anti-spam program, MailWasher Pro.

For the last couple of weeks there has been a huge amount of spam for the ClubVIP Casino. The links in the email messages spamvertising this currently Romanian based casino use various domain names, all of which redirect to a server running on the Russian Nginx software. When a victim is enticed to click on a link to this casino, rather than arriving at an actual online casino (currently hosted at 89.136.223.126), all they see is an image that is a clickable link to a suspicious file download, currently named SetupClubVIP.exe. This file hooks into the Windows Kernel file, Kernel32.dll, where it can do whatever evil it was designed to do. I tried to have it analyzed at VirusTotal, but the Romanian server is blocking their efforts to download that file.

I would advise anybody who asks my opinion to stay away from this type of scam. Do not download suspicious files to your computer to play any online games. Above all else, make sure you have the very latest and up-to-date anti-malware program installed, to protect your PC, just in case you slip up.

Now, on to the percentages of spam by category, for the week ending January 8, 2012.

Continue reading "Spam percentage continues to increase in 1st week of 2012" »

Posted by Wiz at 2:20 PM | Permalink

back to top ^

Here it is, New Years day, 2012 and I have just analyzed my email statistics for the past 9 days. After being down for months, spam levels have returned to last year's level of 49%, from Dec 23, through Jan 1. Spammers have indeed ended 2011 with a bang!

After some reading from my security sources blogs, I have learned that most of this spam blast over the last week+ was spewed out by one of the few remaining big botnets: the Cutwail Botnet. This botnet, like most of the others already taken down this year, is based in Russia. The Russian Bot Master may have just been fingered by Brian Krebs, in his "Pharma Wars" article posted on Jan 1, 2012.

The top categories of products and services being spammed the most over the last 9 days were for casinos, male enhancement gimmicks and various illicit pharmaceuticals sold from fake Internet pharmacies.

Lesser categories of spam included replica watches, fake diplomas, Russian dating and bride scams, Nigerian 419 scams and a few malware links to Russian exploit kits. I even got some unreadable spam in the Russian language and character set iso-1251.

As for totals, from December 23, 2011, through January 1, 2012, of the 339 messages I received, 169 were classified as spam, equaling 49% of all email for that period. This is exactly the same percentage of spam from the same time period last year.

Continue reading "My end of 2011 spam analysis" »

Posted by Wiz at 12:03 AM | Permalink

back to top ^

This past week, I saw another consecutive 2% increase in my percentage of spam, vs legitimate email, bringing my spam percentage up to 26%. This week last year, my spam percentage was 47%. This year I am seeing just over half as much spam as in 2010.

As for email-borne malware threats, I received 11 messages leading to malware servers and none that carried malware in attached files. Of these malware threats, 7 spoofed NACHA and ACH pending bank transaction notices, 1 spoofed the BBB, 3 had fake query strings appended to files ending with a .htm extension. All of the above led to Russian crimeware exploit kits which use Java exploits to install either the Zeus or SpyEye banking Trojans, plus make those PC's members of spam botnets.

The balance of the incoming spam email was divided among the usual spam categories of pharmaceuticals, casinos, fake diplomas, replica watches, weight loss, and ridiculous Russian Bride dating scams, most of which had male names for the senders, but Russian female names in the message body (like "Olga from Russia, Moscow"). The grammar is absolutely horrible in those scams.

Top Spam Categories for the week ending on December 18, 2011:

These statistics were obtained from MailWasher Pro, an anti spam program that goes between email servers and your desktop email client.

Continue reading "Spam and email threat analysis for the week ending Dec 18, 2011" »

Posted by Wiz at 1:55 PM | Permalink

back to top ^

For the past week, I have been seeing and reporting (to SpamCop), scam email messages claiming to come from various financial agencies, or banks, with unusual links; all leading to malware servers. This is a continuation of the ACH, FDIC, etc., malware fraud that has been making the rounds for the past few months.

What's different about the links in these new scams is that they are HUGE! They all start out like any normal hyperlink, with a domain name and a particular file. But, appended to the end of the file name is a humongous "query string" (query strings begin with a question mark), containing multiple long groups of letters and numbers, separated by = signs. I have just analyzed one that has 214 alpha-numeric characters in the query string!

But, like octopus ink, things aren't always as they appear to be!

Being a Webmaster and web page writer, it didn't take me long to figure out that the file type that had the query string appended to it was not a valid active content file. Sure, it could possibly have been rigged to be such a file, like a php type, but these are not. They are Plain Jane simple html files, ending in the extension .htm. The .htm file type does not accept any query strings. If you append such a string of characters to it, the server will ignore them completely. All you see is the htm, or html file contents.

All of the rigged links I have traced are placed on compromised websites hosted on Apache web servers. The standard configuration of Apache web servers does NOT parse .htm, or .html files for active content. They are treated as "static" or flat files. No matter what the characters are that follow the file name and extension, the Apache servers where these links are pointing will ignore the phony query strings.

But, the .htm file type link in the scam emails is not where this story ends. The contents of each and every one I have analyzed contains a few simple lines of straight forward HTML code and an "iframe" (inline frame) - which imports a page hosted on a Russian website named csredret.ru (or variation thereof), containing a JavaScript array that leads to targeted attacks based on the brand of browser you are using and the installed plug-ins, especially unpatched versions of Java.

After seeing another such scam email link tonight, I decided to write a spam filter to detect this type of link. I named the filter: "Fake Query String In Link." The filter is for the anti-spam program MailWasher Pro.

Continue reading "MailWasher spam filter for links to .htm files with huge query strings " »

Posted by Wiz at 11:31 PM | Permalink

back to top ^

This past week, I had a 2% increase in my percentage of spam, vs legitimate email, bring my spam percentage to 24%. This, coupled with the big decrease of last week, brings spam levels to the lowest this year. Much of this decline in spam has to do with the takedowns of several major spam botnets. It also has to do with spammers finding it more lucrative to use social networks to conduct their illicit business.

Overall, it was a quiet week, threat-wise. I only received 10 messages leading to malware servers and none that carried malware in attached files. Of these malware threats, 2 spoofed Bank Of America, 2 spoofed the BBB, 2 were fake contract links, 1 fake changelog, and 3 ACH or FDIC scams.

Although I didn't personally see any, I read that other security researchers and honeypots have captured spam email containing links to fake update notices for Adobe Acrobat and Reader and Adobe X Suite Advanced and fake "License keys" for Adobe InDesign. All of these led to the installation of Trojan Horse programs that steal banking credentials and force the infected machine to become part of a spam and attack botnet.

Please go directly to www.adobe.com (type it into your browser's address bar) to obtain any updates or licenses for Adobe products. Do not click on links in email messages. 99.99999% are fraudulent and lead to malware exploit kits.

Top Spam Categories for the week ending on December 11, 2011:

These statistics were obtained from MailWasher Pro, an anti spam program that goes between email servers and your desktop email client.

Interestingly, Turkish hosted online casinos were the top category of spam. I created some new rules for my MailWasher Pro spam filters to detect and delete the new Casino Spam. There were 15 casino spam messages.

Continue reading "Spam and email threat analysis for the week ending Dec 11, 2011" »

Posted by Wiz at 2:16 PM | Permalink

back to top ^

Takeaway:

I write about a lot of different types of spam, but one of the oldest, next to email and USENET, is spamming the "REFERER" field on a website's raw access logs. I have been seeing this form of spam for over a decade now.

What is a raw access log?

Websites are usually setup or configured to generate a text or graphical log of all visits to those sites (a.k.a: "hits"). These logs contain information that is useful to Webmasters of the websites. Graphical access logs use pie or column charts to show where the hits are coming from, who sent them to you, what details they were searching for and other useful facts about each request. A "raw access log" presents these details in plain text format, in space-separated groups.

Why would anybody want to spam a website's raw access logs?

Over a decade ago, spammers learned that some website owners, or free hosting companies, or individuals hosting their own web servers at home (usually against T.O.S) were actually publishing their raw access logs so that the owners could read them in a web browser, from anywhere they might be. Most of these published access logs are not password protected, meaning anybody anywhere can view them, if they know the location of those website log files. Since so many people do not understand website security at all, they leave configurations in a default state. This means that if their raw access logs are published, the folder location will be predictable, based upon the operating system of the web server. That web server is usually the Apache Web Server.

Thus, when spammers began seeing website raw access logs that were in default folder locations, on various web servers, they could read them in their browsers, as could anybody else in the World who reads that language. So, some enterprising S.O.B. came up with the brilliant idea of posting a request for some files on some websites, and they decided to include fake "referrer" details.

What is the referrer field in an Access log?

The referrer field is a section of an access log that tells the owner/maintainer of the website where each visitor came from, just before they came to your website. In other words, who referred them to you. This information is extremely valuable for learning who links to your web pages, or is writing about you, or has found your site by means of a search engine result.

What do spammers do to referrer fields to turn them into spam?

Instead of revealing the actual referring page location of the website that the visitor (human or machine) was visiting when they decided to come yours, spammers use special web software programs to create whatever content they wish to present for the referer field. That special content usually takes to form of spammy links containing the names of illicit goods (illicit prescription drugs, counterfeit goods), or services (shady or illegal businesses).

Did I just misspell "referrer" as "referer?"

Nope. When the original Apache Web Server documentation was written, back in 1945, the scientists working on it accidentally misspelled the word Referrer as Referer. This misspelling has stayed with us to this very day!

Now, on to the rest of the details about Referer spam.

Continue reading "Access log "Referer" spam still happening through 2011" »

Posted by Wiz at 10:36 PM | Permalink

back to top ^

This week I saw a drop in my overall volume of email, but the percentage of spam actually declined by 2%, to 22%.

First place went to spam for the ridiculous Russian Bride scams. Second place went to spam for fake-replica name brand watches. Third place remained firmly in the grasp of male enhancement scams. Every other typical spam category paled compared to these three.

The other categories of spam last week were covered by casinos, Cialis, fake diplomas, weight loss drugs, NACHA failed deposit fraud and money mule job scams. If you have been reading my blog you know that the NACHA emails are all fraudulent and are meant to infect your computers with a bank account stealing Trojan and to draft it into a spam botnet.

Most of the online exploit attacks that succeed, like the NACHA and ACH fraud, do so by means of exploit kits that seek to compromise vulnerable versions of the Java Virtual Machine. Java is the #1 attack vector targeting user's web browsers. If you are using a non-current version of Java, or even have older versions in your Program Files directory, you are at great risk of being exploited. The exploits I refer to will place financial and auction account credential stealing Trojans on your computer, along with making it a zombie member of a spam botnet.

You can check to see if Java is installed on your Windows computers by going to Control Panel and looking for an icon named Java. If it is there, double click to open the control box, then click on the Update tab, then click the button to check for updates. Accept any updates to Java. Set the updater to automatically check every day, at a time when your PC is on. Next, use the Add/Remove Programs icon to look for older versions of Java and uninstall all but the newest version and build. Close and restart your browser to flush out any lingering out-dated version of Java.

If you don't need Java, or don't know if you need it, uninstall it completely and close the number one attack vector used by the BlackHole Exploit Kit.

Continue reading "Spam and email threat analysis for the week ending Dec 4, 2011" »

Posted by Wiz at 4:51 PM | Permalink

back to top ^

For the fourth week in a row my spam volume and percentage has dropped, this time by 6% from the previous week, down to 24%. Malware bearing emails were completely gone this week.

The top category of spam last week was Russian Bride dating scams. It's hard to believe that anybody in an English speaking country would fall prey to the ridiculous and poorly worded messages sent by Russian criminals posing as prospective dating partners for Americans or Canadians. The entire purpose of these scams is to develop a relationship, then exploit it for monetary gain. It is an easy way for cyber criminals tpo obtain your credit card details and sell them on Russian "carder" forums.

Aside from the Russian Bride scams, the other significant categories of spam were for pirated software, hosted on Ukrainian domains, fake pharmaceuticals and male enhancement pills, fake diplomas, counterfeit watches and illicit weight loss drugs.

The following are the categories of spam, by percentage, from November 21 through 27, 2011, as obtained from my anti-spam program: MailWasher Pro.

Continue reading "Spam and email threat analysis for the week ending Nov 27, 2011" »

Posted by Wiz at 11:20 PM | Permalink

back to top ^

For the third week in a row my spam volume and percentage has dropped, this time by 3% from the previous week. Also, the number of malware bearing emails was way down from previous weeks, with just 9 messages with malware attachments arriving this week.

The top categories of spam last week were for Male Enhancement, weight loss tablets and pirated software (on Ukrainian .com.ua domains). The remainder were filled by spam for replica watches, Russian bride dating scams, some fake diploma spam and Money Mule job recruitment scams. Malware bearing email threats were fake alerts about canceled ACH transfers and payments, failed direct deposits, etc. They contained Trojans that silently steal your logon credentials to your online banks, then empty them of your savings.

The following are the categories of spam, by percentage, from November 14 through 20, 2011, as obtained from my anti-spam program: MailWasher Pro.

Continue reading "Spam and email threat analysis for the week ending Nov 20, 2011" »

Posted by Wiz at 11:37 PM | Permalink

back to top ^

For the second week in a row my spam volume and percentage has dropped, this time by 5% from the previous week. Also, the number of malware bearing emails was down from previous weeks. There was a new entry into the malware scams: Postal delivery failures.

Most of last week's spam was for pharmaceuticals (including Viagra and Cialis), from fake pharmacies, male enhancement pills, Russian brides, pirated software (on Ukrainian .com.ua domains) and replica watches. There were a measurable amount of serious security threats present in three major categories: Wire Transfer and Tax Submission fraud, Courier and Postal Service scams and Money Mule job recruitment scams. These security threats came in attached files containing Trojans, or via links to malware serving websites.

I personally notified one website owner that new folders on his website, containing JavaScript includes to malware servers in Russia, were being used in spam links. Due to my taking the time to contact him, he was able to remove those threats. More people need to get involved in notifying webmasters who are unaware that their websites have been compromised by criminals.

Without any further ado, here are the categories of spam, by percentage, from November 6 through 13, 2011, as obtained from my anti-spam program: MailWasher Pro.

Continue reading "Spam and email threat analysis for the week ending Nov 13, 2011" »

Posted by Wiz at 12:55 PM | Permalink

back to top ^

This week, I saw a significant, 22% drop in the amount of email spam from the week before. The overall amount of spam was also down from the previous week, as were the number of threats carried in email messages.

While most of last week's spam was for the usual pharmaceuticals, male enhancement, Russian brides, pirated software, fake diplomas and Nigerian 419 scams, there was a fair amount of of security threats present in two major categories: ACH fraud and Money Mule job scams.

The ACH scams are old hat now and contain links to Trojan exploit servers in Russia, using a recurring theme about a cancelled money transfer from your bank to another un-named bank. The devil is definitely in the details for those scammed into clicking on the link in those messages. Fortunately, there weren't as many as there were a week or two ago. Read my blog article about how to block the fake ACH notices.

I just wrote an article two nights ago (Nov 5, 2011), about the Money Mule job scams making the rounds. The email spam blast that is continuing to come in all have the same body text as the one I quoted in that article. Please read the article if you need to verify that a job offer you got in your inbox is a Russian Money Mule or Reshipping scam. I don't want any of my readers falling victim to a money laundering or stolen goods trafficking scam.

Without any further ado, here are the categories of spam, by percentage, from October 30 through November 5, 2011, as obtained from my anti-spam program: MailWasher Pro.

Continue reading "Spam and email threat analysis for the week ending Nov 6, 2011" »

Posted by Wiz at 12:24 AM | Permalink

back to top ^

For the last week or so, I have seen a steady increase in the number of illicit work at home job scams arriving by email. So far, just this morning, I have seen 5 different subjects, with slightly different "reference" numbers, all spoofed as coming from one of my own email addresses. This coincides with the approaching Black Friday and Christmas shopping season in the US and Canada.

I have no doubt that my readers are also seeing more mysterious online job offers arriving by unsolicited email (spam). With so many of us struggling to make ends meet, in a middle that keeps getting farther apart, some of you may be tempted to reply to such an offer. Please don't do it! It is a scam and will get you in big trouble. Let me explain...

Work at home job scams have been around for well over a dozen years. In recent years the people running these scams have found that it is more profitable to recruit hapless individuals, in desperate search of a job, into a money laundering, or stolen goods reshipping scheme, than to cheat them out of a few dollars over a fake envelope stuffing, or medical billing position.

What is a money mule?

A Money Mule is a person who knowingly, or unknowingly receives stolen, or illegally obtained funds, allows them to be deposited into their own bank, then transfers that money from their bank to another one, located in another country. This act is known as Money Laundering. The illicit money comes to them by means of the use of banking key loggers, like the Zeus or SpyEye, or by illegal activities like arms or drug sales, or extortion. Sometimes, the money being laundered is done so on behalf of known terrorist organizations.

What is a reshipper scam?

A reshipper scam is where a person is recruited for a job where they receive physical goods delivered by the post office or a parcel delivery service, which they repackage, or re-label, then reship them to a specified, foreign destination. The reshipper may or may not be aware that these goods were obtained with stolen credit or debit cards.

In both of these "job" descriptions, in most civilized, law abiding countries, serious laws are being broken by all participants in these schemes. Money Mules are easily tracked down when victims notify the Police about money illegally transferred out of their bank accounts. The banks have a money trail for all money transfers. Most Money Mules are told to set up a direct deposit account, to receive and transfer stolen funds. As I mentioned earlier, this is known as "Money Laundering" - which is a Federal Felony in the USA and Canada, punishable by lots of time in a Federal Penitentiary and huge fines.

Reshipping job participants are involved in moving stolen merchandise (from auction sites, office supply, computer and electronics stores, catalog stores, etc) to offshore recipients. All reshipping mules are guilty of felonies for trafficking in stolen goods.

Continue reading "Work at home Money Mule job scams abound with holidays approaching" »

Posted by Wiz at 11:43 AM | Permalink

back to top ^

It is a virtual certainty that if you have an email account and use it, your address will end up on one or more spam databases. No matter how well you protect your own equipment, you cannot say the same for all of your email recipients, or even newsletter senders. Spammers have ways and means of stealing email contact databases and spamming every address on those lists.

'Nuf said about how you got on spam lists. __it happens.

One of the long running email scams involves work at home schemes and the related field of money mule and drop reshipping recruitment. The email letters promoting these usually illegal activities start with what seems to be a friendly letter from someone who watched a program on a certain news channel and is now making big money by using that system. Since they care about you so much, they want you to benefit like they have. All you have to do is click on the link, read the information at the landing page and sign on.

The email come-ons mention how much money so and so made in just their first day or two, etc. The landing pages look like TV station pages with reports about an exciting work at home career opportunity. They even have videos purporting to be done by news reporters, about these so-called jobs. But, everything on these web pages is fake. It is a scam.

Before you click any such link, in an email about a work at home job, consider the following facts that I have pulled from my most recent work at home scam.

Continue reading "A short anatomy of a work at home scam" »

Posted by Wiz at 11:22 PM | Permalink

back to top ^

This morning I received a new scam email claiming to come from [email protected], containing the following come-on text:

You will not be able to access your Intuit QuickBooks account without Intuit Security Tool (ISTâ„¢) after 31th of October, 2011.
You can download Intuit Security Tool here...

The first location, a compromised, or exploited server in The Netherlands (within 87.233.0.0/18), contained three links to JavaScript files on three different compromised domains. All three files were named js.js and contained another redirection to a subdomain of a domain named "serveirc.com" - hosted on no-ip.com, which bills itself as: "Dynamic DNS, Static DNS for Your Dynamic IP." The redirect from no-ip.com went to a server in Moscow, Russia, where I have traced much badware in recent weeks. The destination page is either cloaked to me, or devoid of content (possibly from SpamCop reports, such as I filed).

The Russian company hosting these exploits is named "Serverfarm" and owns the domain: MSM.RU. The IP hosting the QuickBooks scam exploit (95.163.89.193) is part of the CIDR: 95.163.0.0/16 - which is already on my Russian Blocklist, for hosting previous exploits.

FYI: the payload page is named: /main.php?page=b0374286c079f294

This scam is no different than its predecessors, the Scan From A Xerox Workstation and Scan From An HP Printer, both of which led to malware exploit kits that infected victim computers with the Zeus Trojan and a botnet installer. Delete such emails on sight.

Note: if you are a QuickBooks (actually intuit.com) customer and receive a questionable email claiming to be from them, hover your mouse over the links without clicking on them, to make sure they all point to intuit.com. This scam had a link on the word "here" which was the only one leading to the exploit site. Look closely at the links in action words. The actual destination will be revealed in your statue bar. If the action link doe not go directly to intuit.com, it is a scam, meant to harm your computer and steal money from your business.

Posted by Wiz at 10:26 AM | Permalink

back to top ^

In case you didn't know it, spam levels have increased dramatically this week. For the first time in about a year, my own spam level has reached 60%. This is up 12% from last week. While the actual amount of spam has increased, the subjects and scams have not changed much. Only the percentages by category are changed this week.

For those who haven't read my spam reports before, I employ an email screening program named MailWasher Pro to act as a filter for known, or suspected spam, scams and virus threats. I obtain statistics at the end of each week, for each category of spam, based upon filters I write and publish (for other MailWasher Pro users).

The number of threats arriving in spam email was greatly reduced from the previous month. There were just a handful of ACH and Wire Transfer Rejected scams. They all contained links leading to Russian, Romanian, or Ukrainian malware servers. All spam for pirated software is still hosted on Ukrainian domains, ending in .COM.UA. Most of the rest of the spam this week was hosted on Russian .RU domains. This is especially true for the numerous Russian Bride online dating scams.

Let's look at my spam statistics for the week ending Oct 30, 2011, as obtained from my anti-spam program: MailWasher Pro.

Continue reading "Spam and email threat analysis for the week ending Oct 30, 2011" »

Posted by Wiz at 4:14 PM | Permalink

back to top ^

Spam is definitely increasing, compared to one month ago. For the last month it hovered around the 40% level. Now, it it approaching 50% of my incoming email. This may not jive with your figures, but my amount of good mail is fairly consistent, so my spam percentages are measurable.

Last summer saw spam levels drop way down, but I am not surprised at this constant increase. New spammers are being recruited and my guess is that the spam class of 2011 has graduated. These fools pay to get into the spam game, hoping to find enough suckers to make a big profit. Spammers are paid for leads, sales, credit card number theft and computer infections.

The biggest categories have not changed much over the last few years. I saw a lot of junk mail for Fake pharmaceuticals, male enhancement pills, weight loss capsules, pirated software, fake diplomas and some Nigerian 419 and lottery scams. What is interesting is the resurgence of Russian Bride dating scams.

The worst threats delivered via email were ACH fraud scams, containing links leading to infection of computers. The predominant infection from following the links in these scams is the Zbot, a.k.a Zeus Trojan, plus a Botnet installer. The Zeus hides and watches for you to login to your financial institution, then steals your credentials and money. it is also used to commit identity theft. I have a custom spam filter that blocks ACH scams.

Almost all of the spam I received last week had links to Russian or Ukrainian domains. They don't even try to cloak the links. Lax enforcement in Russia and The Ukraine makes it relatively easy for counterfeiters, fake pharmacies and software pirates to conduct illegal or shady businesses, without much fear of arrest. There are some high level arrests, now and then, but they are just the tip of the iceberg. There are more Russian spammers and Bot-Masters than their police can investigate. For every top spammer busted, five more seem to take his place.

Let's look at my spam statistics for the week ending Oct 23, 2011, as obtained from my anti-spam program: MailWasher Pro.

Continue reading "Spam and email threat analysis for the week ending Oct 23, 2011" »

Posted by Wiz at 11:52 PM | Permalink

back to top ^

Software piracy has been a problem for over 2 decades, for the companies who invest time and money into the development and updating of the computer programs they offer for sale. After all, commercial businesses distribute computer software (a.k.a. programs), in the hopes of at least covering their costs, or maybe even making a profit, from the sales of licenses to use their intellectual property.

Standing in the way of profits are low life gangs of modern day pirates who obtain copies of popular commercial software, which they duplicate illegally and sell without permission from the legitimate copyright holders. In order to use these programs buyers must have a license code. In some cases, the software piracy gangs bribe insiders to steal actual bulk license keys from large businesses who pay huge fees to get bulk licensing for their multitudes of employees. They then re-issue these unlawfully obtained license codes to people who purchase pirated software from them.

It doesn't take too long for the companies being ripped off to learn which product keys are being distributed with pirated copies of their programs. As these keys are discovered, they are blacklisted. After that happens, the next time a buyer of that software checks for updates (manually or automatically), the program will become unlicensed and cease functioning properly, if at all. It is at that moment that many buyers realize that they have been ripped off.

But, not all pirated programs ship with stolen keys. Some have been recompiled to include embedded bulk license keys, which eventually fail, plus a little something extra to pad the profits of the gangs who sell pirated software at very low prices. That something extra is an embedded Trojan Horse remote control backdoor (botnet, etc).

I have been following the sources of pirated software for several years now and have learned that most of it is being distributed by Russian and Ukrainian criminals. During the last summer most of the domains used in email spam promoting pirated software ended in .RU. Those are Russian domains, registered in Russia.

Sadly, most of the actual websites are hosted in Czechoslovakia, on hijacked broadband PCs, or on web servers owned or leased by people involved with the crooks. All of the pirated software websites are running on the Russian Nginx web server.

Toward the end of August the Russian software piracy gangs began registering their domains with a new second level name that belongs to the Ukraine: .COM.UA. In order to register such a domain, one must possess a business license issued to a Ukrainian company. Since that time, most spam for pirated software contains a link ending in .com.ua.

Now, in mid October, 2011, the pirates have begun to use a new domain run by Google. It is a URL shortener system, named "goo.gl." They are now using a mixture of links pointing to shortened links on Goo.gl and to .com.ua domains. The Goo.gl links all contain instant redirection to an intermediate domain, which instantly redirects to a Ukrainian domain, where the pirated software is sold.

Continue reading "Pirated software spammers using Goo.gl domains to redirect to Eastern European domains" »

Posted by Wiz at 3:36 PM | Permalink

back to top ^

I was reading my website's raw access logs today and saw that one visitor arrived on my blog when he or she searched Google for this phrase: ach+payment+canceled+spam+how+to+stop. This article will offer suggestions to block such messages from your inbox.

First of all, you need to understand that you are not alone in being a scam and spam recipient. Almost everybody who sends, receives, forwards or replies to any email message will probably end up on some spam database eventually. Master Spammers compile email address databases using various means. Then, these addresses are sorted by country and sold to other, second level spammers. These spammers then rent the use of botnets to blast out ginormous amounts of spam email, to promote various products and services, for which the spammers are affiliates (paid by the sale, or per infection, or referral).

The ACH payment canceled scam which my visitor was asking about is not your typical type of spam message. It comes under the category I call "mal-mail," meaning it contains either a malware laden attachment, or a link to malware exploit attacks or downloads. This is a very dangerous class of email to allow into your computer's email client.

Here are some methods you can try to use to block the ACH scam emails from your inbox.

Continue reading "How to block spam email fake ACH Canceled Payment messages " »

Posted by Wiz at 12:24 PM | Permalink

back to top ^

There is a currently ongoing spam campaign which sends an official looking document, with images from the US Internal Revenue Service. The subject and body refer to a tax return problem. The recipient is told to read the report at IRS.gov, but the link provided goes offshore, to a look-alike scam web page, serving malware.

I traced down one of these scams that came in today (Oct 10, 2011) and here are my findings.

The link in the email, falsely claiming to go to a report page at the irs.gov, actually led to a website named http://systrmp.com (using standard html code to link to one place, but show the user a different destination). If the intended victim was to hover their mouse or pointer over that link before clicking on it, they would see the true destination in the Status Bar of their email reader (browser or standalone desktop email client).

The message body is written to cause panic in the recipients, causing some to blindly click on the link, without checking out the destination first. Here are the words used to panic recipients into action:

Notice ID: CEXOSTSZUJ8747
Notice: CP01H
Tax year: 2011
Notice date: Mon, 10 Oct 2011 09:11:50 +0100
Page 1 of 1

Important information about your tax return
We are unable to process your tax return

We received your tax return. However, we are unable to process the return as filed.

Our records indicate that the person identified as the primary taxpayer or spouse on the tax return was deceased prior to the tax year shown on the tax form. Our records are based on information received from the Social Security Administration.
Based on this information, the tax account for this individual has been locked.

What you need to do

Visit review page on irs.gov (<-- Hostile link goes here)
Keep this notice for your records.
Department of Treasury
Internal Revenue Service

Continue reading "Spammed IRS Tax notices lead to Zbot malware infection" »

Posted by Wiz at 11:43 AM | Permalink

back to top ^

Despite the takedown of several of the top spam botnets this year, spam levels have remained at the same level of 40%. Most spam this week was still promoting Russian and Ukrainian domains, pushing counterfeit drugs, pirated software, replica ripoff watches, malware exploits and dating scams.

There is a trend that began developing a few weeks ago. That is the registration of spam domains ending in .com.ua, which is a new type of Ukrainian domain. The domains being spamvertised with links ending in ".com.ua" are spamming pirated software, fake watches, Russian and Ukrainian dating scams, fake Cialis, Viagra and other illegal to import (into the US and Canada) prescription drugs.

There was a big decline in the amount of spam emails that actually carried a malware payload in an attachment. They were replaced with several threats that use links to exploit their victims, rather than attached files. The end result is the same for those tricked into clicking those links: bots and various Trojan downloaders.

I compile my spam statistics from my spam screening program MailWasher Pro, which I use to filter out spam, malware attachments and dangerous links, before downloading any messages to Windows Live Mail, which is my desktop email client. The categories represent custom spam filters which I write and publish.

The following are a list of categories of spam received this week, ranked by percentage, highest first.

Continue reading "Spam analysis by category, for week of Oct 2 - 9, 2011" »

Posted by Wiz at 3:42 PM | Permalink

back to top ^

Another week has gone by and spam levels have remained fairly static, at the same level (just under 40%) as the previous week. Most spam this week was promoting Russian and Ukrainian domains, pushing counterfeit drugs, pirated software, replica ripoff watches and dating scams.

Thankfully, there was a big decline in the number of scam emails containing malware in attachments, or at the end of hyperlinks. I did see a lot more spam messages for pirated software, all hosted on Ukrainian domains, ending with .com.ua. Also on those domains were male enhancement scams, weight loss, and someone named Elina who is looking for a man, but has an email address beginning with Maria.

Not to be left out, there were several Nigerian 419 scams and lots of junk mail for fake Cialis and Viagra. What few ACH Transaction Canceled scams I saw ended about mid-week. I have blogged about these threats numerous times since late August 2011. Search this blog for details about the ACH and FDIC scams leading to malware exploits and botnets.

The following are a list of categories of spam received this week, ranked by percentage, highest first.

Continue reading "Spam analysis by category, for week of Sept 26 - Oct 2, 2011" »

Posted by Wiz at 11:20 PM | Permalink

back to top ^

Over the last couple of weeks there has been a huge spam run with fake ACH canceled transaction notices, all of which came with malware inside attached files. Recipients were urged to open these files to read the failed transaction report. Effective 9/26/11, the same message text is being re-used, with the exception of how the victim is supposed to read the "Transaction Report."

Now, instead of send malware directly as attached files, the criminals behind this scam are providing links to read the "Transaction Report" at the "Nacha.org" website. At least, that is what the links show to the casual observer. If one hovers over these links they learn that the destination is not nacha.org, but a totally different website name. All of the domain names used in the spam run I saw today (9/26/2011) were registered today, with a company calling itself: MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE. Most of the domains are not resolving at this time, but at least one is. That malware serving site is at na-chas-data-info DOT com (do not go there with a standard browser!).

Upon landing on this still active website, hosted on Yahoo.com, they see a fake "NACHA - ACH Transfer Rejected" titled page. Unknown to the victim, a hidden iframe is hijacking the browser away from that fake notice to a server that attacks the browser with the BlackHole Exploit Kit. That server is at: "huntcheerful.com" - hosted at p8p.geo.vip.sp2.yahoo.com.

UPDATE:
As I was typing this the malware account at huntcheerful.com began serving a 503 Service Unavailable notice. I guess that somebody at Yahoo finally read my SpamCop reports against this domain.

It appears that the six domains I reported earlier today have all been taken offline. However, the people behind this scam will keep registering new cheap domain names and will continue to abuse legitimate web hosts to serve malware to as many people that they can trick into clicking on those links.

To protect yourself, your family, and or employees, inform them that the US NACHA organization does not ever contact the public about any failed "ACH" transactions. Neither does anything going by the name ACH ever contact people whose transactions didn't go through. Only your bank will contact you if your check, deposit, or money transfer fails.

Any email about a failed ACH transaction, not coming from your known bank, is a fake and a scam and should be deleted on sight. If someone at your business receives such a notice and isn't sure if it is legitimate, call your bank and ask if a recent transaction has failed, or been canceled by the other party. In 99% of the calls they will tell you no such thing has occurred.

You can add a layer of protection to your email users by creating rules that block all emails claiming to be sent from nacha.net, nacha.org and nacha.us. If you are able to create wildcard rules, block all email from any address at nacha.anything. The email screening program MailWasher Pro, which I use, utilizes regular expressions to blacklist email senders, based on what is listed in the "From" field. The rule I use to block anything from any sender @ nacha.anything is: +@nacha.+

In addition to using blacklisted senders, MailWasher also uses custom filters, which I happen to publish for others to use. A couple of my MailWasher filters already detect, flag and or auto-delete these scams.

Continue reading "ACH email scams now using links to malware exploit sites" »

Posted by Wiz at 9:14 PM | Permalink

back to top ^

Since last Sunday night, Sept 18, my incoming percentage of spam email has dropped slightly, from 36% to 35%. This makes 4 weeks in a row of small, yet steady decreases in spam. Furthermore, the amount of malicious attachments has taken a drastic downturn from the previous few weeks.

With the welcome decline in the number of malware laden attachments, what is left is standard junk email for prescription drugs, illegal to import into the USA, sold without a prescription, from Russian and Ukrainian domains. Also there were many male enhancement (Max-Gentleman) and weight loss scams (pushing HCG pills), as well as the usual batch of fake Viagra and Cialis. Again, these are prescription drugs, and even though they're counterfeit, they are illegal to import into the USA from abroad. There were even a few spam emails selling fake diplomas and a bunch of Nigerian lottery and inheritance 419 scams.

I compile my spam statistics from my spam screening program MailWasher Pro, which I use to filter out spam, malware attachments and dangerous links, before downloading any messages to Windows Live Mail, which is my desktop email client.

Spam Statistics for September 19 through 25, 2011 (compiled at about Midnight)

Total email received: 440
Amount classified as spam: 155
Percentage of spam: 35%
Number matched by my custom filters: 140
Number caught by my Blacklist: 11
Number identified by DNS Blacklists: 4
Reported to SpamCop: 38

Individual categories of spam follow...

Continue reading "Spam percentage continues to decline in percentage & threat level" »

Posted by Wiz at 11:44 PM | Permalink

back to top ^

Today I saw something new to me in the spam-containing-malware category. It was an email allegedly from one account on my own domain, sent to another existing account on my domain, notifying me that my domain had been suspended! FAIL!

Keep in mind as you read this, that I received this scam email from one of the email accounts on the supposedly suspended domain! I am posting about it on my blog, which is also hosted under the same domain name! A simple check for my home page shows that it is still up and running. Obviously, the email was a scam, attempting to panic me into opening the attached file. Not going to happen Boris!

Here, for both your amusement and to warn other domain/website owners about the scam, are the significant details from the normally hidden headers.

Received: from home-d805cd5a06 by smtp.wanadoo.fr; Thu, 22 Sep 2011 08:52:00 +0200
Date: Thu, 22 Sep 2011 08:52:00 +0200
Message-ID: <[email protected]>
Subject: Fw: IMPORTANT: wizcrafts.net has been suspended
From: REMOVED@wizcrafts.net
Reply-To: REMOVED@wizcrafts.net
To: REMOVED@wizcrafts.net
Content-Type: text/plain; charset=iso-8859-2

aEBb,
lGBf WLHZmMor Qu EpMu JDnky, kSr XuEPqWXQa?
a ue UBpyIYe opY QOdzUCjY.

jZKlDtiul,
tFJLfI wSMDlTD

------------F0C3F295E295E05
Content-Type: application/zip; name="Domain_Abuse_SBL141309_0920.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="Domain_Abuse_SBL141309_0920.zip"

Continue reading "Domain suspended email notice contains malware attachment" »

Posted by Wiz at 5:42 PM | Permalink

back to top ^

While checking incoming email today, I received some new variations of recent malware threats, in email attachments. Upon examining the source codes I found that some are variations of the previous FDIC (Federal Deposit Insurance Corporation) warnings, directly related to the previous few weeks of scams for ACH (Automated Clearing House) canceled transactions notices.

The new scams have the Subject: FDIC message center

There is a new twist to the FDIC scams, which I saw for the first time, today, September 22, 2011. Instead of actual text, they are now using an embedded image to convey a message meant to scare recipients into opening the attached file. This image looks like it might be sent from the FDIC, complete with official logos. Rest assured it is a Photoshopped image, containing words directing victims to open the hostile attachment.

The wording on the first captured FDIC scams of 9/22/11 read as follows:

Dear Customer,
Your account ACH and WIRE Transaction have been temporarily suspended for security reasons due to the expiration of your security version. To download and install the newest installations read the document(pdf) attached below.

As soon as it is setup you transaction abilities will be fully restored.

Best regards, Online Security department, Federal Deposit Insurance Corporation.

Presently, the malware attachment is named "FDIC information" - without any extension. This is an error on the part of the people who composed this template. Rest assured, there is a malware payload inside the attached file, which weighs in at 28,822 bytes. I am certain that the next batch of these scams will contain an extension, such as .pdf, .zip, or .pdf.zip, like the scams of the previous few weeks.

Continue reading "New twist in malware threats in email attachments - Sept 22, 2011" »

Posted by Wiz at 1:15 PM | Permalink

back to top ^

For the second week in a row, I have seen a decline in the overall volume and percentage of spam email. While the percentage is still high, at 36%, it is down 3% from last week. Most spam for counterfeit drugs, fake diplomas, Nigerian 419 scams and replica watches is profit driven by the suckers who respond to spammers' come-ons. But, a large amount is still coming in containing malware in attachments.

The weekend of September 12 through 18 saw a temporary decline of a prolonged spam run for fake ACH failure notices, all containing the Zeus/Zbot Trojan, but it picked back up mid week. Added to the mix of hostile attachments were emails claiming to be invoices and changelogs. they also contain the Zbot banking Trojan and botnet installers.

I obtain my spam statistics form the anti-spam program MailWasher Pro, which I use to filter out spam, malware attachments and dangerous links, before downloading any messages to Windows Live Mail, which is my desktop email client.

Spam Statistics for September 11 through 18, 2011

Total email received: 426
Amount classified as spam: 155
Percentage of spam: 36%
Number matched by my custom filters: 129
Number caught by my Blacklist: 21
Number identified by DNS Blacklists: 4
Reported to SpamCop: 19

Individual categories of spam follow...

Continue reading "Spam volumes remain high, but are declining" »

Posted by Wiz at 11:52 PM | Permalink

back to top ^

Earlier this week I noted that the spate of fake ACH transaction canceled spam emails had subsided. Well, no time off for crime fighters. They returned today, along with some fake invoices and "changelogs" in spam messages, sent from infected computers in spam botnets.

My email spam-screening program is MailWasher Pro, which uses a combinations of several tactics to determine if an incoming message is good or bad, friend or foe. The program allows users to compose their own spam detection filters, based upon various criteria found in email messages; some hidden, some visible. I write and publish filters for MailWasher Pro users and some of the most effective filters right now are the ones that detect ACH scams and emails with Zip file attachments.

All of the ACH fraud messages, along with the fake invoices and changelogs, contain malware downloaders inside the attached files. Anybody running a Windows computer who misguidedly opens the attached zip file and its enclosed .pdf.exe file, will have a botnet Trojan downloader installed within seconds. This downloader then goes to work, behind the scenes, to download and install other malware, including the infamous Zbot, aka Zeus bank credential stealing Trojan.

The subjects and come-ons used in this latest spam run are listed below, in my extended comments.

Continue reading "Return of fake ACH & invoice emails with malware in attachments" »

Posted by Wiz at 10:44 PM | Permalink

back to top ^

After peaking two weeks ago, the volume and percentage of spam in my Inbox has declined again by 2%, to 39%. While most email spam is for counterfeit pharmaceuticals and watches, much of the spam over the past few weeks has contained malicious attachments, or links to exploit attack websites.

The weekend of September 9 through 11 finally saw the (temporary) end of a prolonged spam run for fake ACH failure notices, all containing the Zeus/Zbot Trojan, as well as the almost month long campaign of fake Facebook Friend Requests (with Arabic names in the subject). Those emails were scams and had links to a website that contained both on-page and hidden codes leading to serious malware infections, including the Zbot.

The purpose of the malware attachments and hostile link spam blasts was to infect unsuspecting computer users with key loggers that steal their online banking credentials (and all their money), and to install botnet remote control backdoor software on them.

See my recent posts (listed in the right sidebar) during August and early September, 2011, about the ACH and Facebook scams leading to botnet infections. They, and other articles like them, are also found in my "Spam" category listings.

I use the anti-spam program MailWasher Pro to filter out spam, malware attachments and dangerous links, before downloading any messages to Windows Live Mail, which is my desktop email client.

Spam Statistics for September 5 through 11, 2011

Total email received: 440
Amount classified as spam: 172
Percentage of spam: 39%
Number matched by my custom filters: 155
Number caught by my Blacklist: 14
Number identified by DNS Blacklusts: 3
Reported to SpamCop: 10

Individual categories of spam follow...

Continue reading "Spam down slightly, as ACH and Facebook scams play out" »

Posted by Wiz at 12:24 AM | Permalink

back to top ^

For the second week in a row, my volume and percentage of spam has passed 40%.This week I saw 41%, which is down just 2% from the week before. Notably, much of the spam either contained malware in attachments, or had links leading directly to malware exploits.

There were two specific classes of malware threats this week, carried forward from last week: the ACH canceled payment-transaction under review scams, containing the Zbot/Zeus banking Trojan, or 2: fake Facebook Friend Requests, leading to the BlackHole Exploit Kit, plus the Zbot and botnet installers. The preceding links are to articles I have already written, explaining these threats and how you can identify them and deal with them.

While the ACH scams seem to have subsided, the Arabic name Facebook Friend Request threats are still persisting, as of the time I published this.

In a nutshell, from August 29, through September 4, I logged the following spam statistics, using MailWasher Pro, by Firetrust.

Total email received: 431
Amount classified as spam: 181
Percentage of spam: 41%
Number matched by my custom filters: 168
Number caught by my Blacklist: 13
Number identified by DNS Blacklusts: 0
Reported to SpamCop: 17

Individual categories of spam follow...

Continue reading "Spam % remains high, with malware attachments & hostile links" »

Posted by Wiz at 11:25 PM | Permalink

back to top ^

Earlier this week there was a drop off of the previous spam run of fake ACH Payment Canceled emails, all loaded with malware inside their attached files. They were replaced by a blast for FDIC scams. Now, the ACH scams have returned, with a vengeance.

The new subject in today's spam blast is: ACH Transfer Review. The forged sender is an account name like this: ach [email protected]. The body text is as follows:

Dear Client,
ACH transfer (ID:) is going to be reviewed because of the incorrectly input data
when sending the payment.

Important:
Please, fill in the application form attached attentively and send it to us.
After that your transfer will be processed.

If you have any questions or comments, contact us at [email protected].
Thank you for using www.nacha.org

(NAME REMOVED)
NACHA Risk Management Services

The attached "form" is currently named: "form-62091.zip" and it contains a Trojan Horse (currently Zbot, a.k.a. Zeus) that will infect your computer with malware that intercepts keystrokes when you log into a bank, or other financial organization being targeted by the perpetrators. It then sends your login credentials to the criminals who are renting the botnet, whose member computers are sending these scams to you and everybody else. Some variants of the ACH scams actually install a botnet (currently "Bredolab") controller, which then downloads the other bad stuff to your PC, and possibly to your networked PCs.

The email claims to come from the headquarters of ACH , but, the headers show something different. Look at these three Received from lines, obtained from three different spam emails today:

Received: from [115.118.159.231] (helo=cgorq.com)
Received: from [178.123.157.77] (helo=sqibyat.com)
Received: from [187.117.248.91] (helo=hcyayyax.com)

The real NACHA does not send email alerts to individual bank customers. It only deals with the banks and credit unions themselves. Unless you work for a bank, or credit union, you should never ever receive any email from nacha.org (or nacha.us, .net, or .com).

Continue reading "ACH email scams with malware in attachments continues" »

Posted by Wiz at 12:35 PM | Permalink

back to top ^

It was only a couple of days ago (8/26/2011) that I published a blog article warning people about the threats contained in fraudulent emails claiming that an ACH transfer had been canceled and that the recipient needed to read the report in the attached file.

Beginning at 3 AM, EST, I received four consecutive email scams in 15 minutes, with the subject: "FDIC notification," with the forged sender (the actual "sender" is an infected PC in a spam botnet): "[email protected]," and the following body text:

Dear customer,
Your account ACH and WIRE transaction have been temporarily suspended for
security reasons due to the expiration of your security version. To download and install the newest installations read the document(pdf) attached below.
As soon as it is setup, you transaction abilities will be fully restored.

Best Regards, Online Security departament, Federal Deposit Insurance Corporation.

Like the UPS and ACH scams that preceded it, this scam contains a variant of the Zeus or Zbot Trojan Horse. Its purpose is to install hidden malware that watches for you to visit targeted financial institutions, or your website's control panel, or PayPal, etc. Once you do it intercepts your login credentials and forwards them to the criminals running these scams. Your bank accounts, PayPal accounts and God knows what else may be emptied before you know what hit you!

If you use MailWasher Pro to screen your incoming email for spam and threats in attachments, my custom ZIP Attachment filter will alert you to these and similar threats. Never open the attachments in these scams! Delete the email on sight! Opening these messages will launch the installer for the Zbot. Your PC will not only have the Zeus keylogger installed, but will be made a part of the Botnet from which you received your recruitment message.

Posted by Wiz at 3:01 AM | Permalink

back to top ^

After a month of lower email spam volumes, this past week I saw an 11% increase over the previous week, which itself had a 7% increase from the week before. That makes about 18% more spam than two full weeks ago. Most troubling was the fact that a lot of this unwanted email contained malware infected attachments.

The last spam run containing infected attachments was a fake ACH Payment Canceled campaign. It started immediately after a run of fake Uniform Ticket email scams, and both contained the Zeus, a.k.a. Zbot Trojan. This is a hidden keylogger that watches for victims to login to particular banks, Trust companies, PayPal, website control panels, or trading companies. It collects the login credentials and sends them in a data stream to the criminals renting the use of the botnet responsible for sending the spam run. They then steal your money, or hack your websites.

There was also a continuation of the previous week's fake Facebook Friend Requests, containing links leading to direct downloads of Trojans. I wrote about this scam earlier this week, in this article: Beware Fake Facebook Friend Requests, Leading to Malware. To date, all of the requests I have received have contained Arabic names in the subject, but, that may change next time the miscreants behind this scam send another spam blast.

Since I noticed last Sunday that the volume of spam was staying high, I returned to using MailWasher Pro 6.4 to block spam and collect statistics that are easy to view and use in my reports. The current new version, 2011, is fully capable of blocking as much of the spam as the older version, but lacks a statistics page as of this writing.

In case you were wondering, one you can still purchase a licensed copy of MailWasher Pro 6.4, from the Firetrust website. Or, if you don't care about the Statistics readout, but want faster processing, try the new version (same link).

Here are the basic stats for the last week's spam:

Total email received: 501
Amount classified as spam: 219
Percentage of spam: 43%
Number matched by my custom filters: 208
Number caught by my Blacklist: 5
Number identified by DNS Blacklusts: 4
Reported to SpamCop: 29

Individual categories of spam follow...

Continue reading "Spam increases 11% over previous week: Aug 22-28, 2011" »

Posted by Wiz at 4:15 PM | Permalink

back to top ^

For the last 2 days I have seen a slowly building spam campaign featuring a previously used trick Subject: "ACH Payment (7 numbers) Canceled." The message body is short and sweet, along the line of the following:

The ACH transaction,
recently initiated from your checking account (by you or any other person),
was canceled by the other financial institution.

Rejected transaction

Reason for rejection: See details in the attachment

The From line is usually: "account manager" ([email protected], or [email protected]). You will be getting these sent to every one of your email accounts, should you have multiple accounts, like I do. Domains with email are especially hard hit in today's spam campaigns.

The actual "sender" is a PC in a spam botnet, operating under commands from the Bot Master running this show. All reply-to and From information is forged.

The payload in the current crop of malware in attachments is the "Zeus" aka: "ZBot" keylogger Trojan. The installer may also make the victim's computer a member of the same botnet from which their scam message was sent. This perpetuates and increases the size of the botnet and steals money from victims as they log into banks and payment portals targeted by this Zeus variant.

My advice to recipients of one of these, or future variations of these scams, is to phone you bank, or financial institution and ask them to check your account for problem transactions. Note, there have been some spam campaigns that include a fake contact phone number that actually leads to people hired by the criminals running particular campaigns. So, your safest bet is to look-up the number for your bank, or flip over your debit or credit card and call the number listed on it.

Interestingly, these malware in attachments scams began on August 25, just after the previous run of UPS malware scams ended. No doubt, the same botnet is sending both, rotating subjects and body text and attachment names, via templates downloaded to the zombie computers in the botnet.

I delete all such malware laden spam messages, which are automatically flagged by one or more custom spam filters I write, by my email screening program: MailWasher Pro - (learn about MailWasher Pro here). My advice to you is to delete them on sight, without opening them. Phone your bank if you are worried.

If your bank sends you email messages and alerts about problems, the message will include your proper name. None of these scams include any personal names as salutations. That is red flag number one in all such malware and phishing scams.

Stay alert to scams in spams. Do not open any email attachments out of curiosity. Only open attachments you are expecting, from senders you are expecting them from, and then, only if you have modern, fully updated anti-virus/anti-malware protection running on your computers.

Posted by Wiz at 10:47 AM | Permalink

back to top ^

Tonight I received what appeared to be a Facebook Friend Request, but it was addressed to an account not associated with Facebook. It was also suspiciously marked with gray icons in MailWasher Pro. This indicates that the anti-spam program wasn't sure if it was good or bad. That set off my alarm bells, because I have a custom filter that identifies all legitimate messages from Facebook as Good.

Luckily for me, I am a spam fighter and suspicion is my modus operandi. Had I been a casual computer user I may have curiously clicked on the link in this email and had my computer infected with a fake Flash Player update, plus an exploit attack kit, within seconds! Then I would have been Phished with a fake Facebook login page! Here is what I saw and what the source code revealed about the email message.

First, the headers:

Delivery-date: Sun, 21 Aug 2011 21:36:18 -0600
Received: from [123.236.135.113] (helo=ZDIHFSM)

my own server details removed

Received: from mta900.em.linkedin.com (mta900.em.linkedin.com [63.211.90.176])
by mail.rctengineering.com (8.13.8/8.13.8) with ESMTP id 2714Y3V654427
for ; Mon, 22 Aug 2011 09:05:39 +0530
Date: Mon, 22 Aug 2011 09:05:39 +0530

Subject: Zaahid Ababneh wants to be friends on Facebook.
From: Facebook <notification+gugsche@facebookmail.com>

Look at the bold portions of the above headers The first bold line contains the date when this email was delivered to me, by my email server, which is in Utah:
Sun, 21 Aug 2011 21:36:18 -0600

Directly underneath the arrival date is the last Received From line, indicating that the email was delivered to me from the IP address 123.236.135.113. If this email really came from Facebook, the IP address would resolve to one with facebook.com in a "Whois" look-up, and in a reverse IP look-up. However, running a Whois check on this IP address revealed that rather than belong to Facebook, it is registered to Reliance Communications, in Mumbai, India!

Moving down to the next Received line, it says that the email was relayed through LinkedIn. Now, why would Facebook need to use LinkedIn servers? They absolutely would NOT. Also, note that the email was handed to the LinkedIn mail server by the rctengineering.com domain, not Facebook. That domain belongs to a Bell South customer!

Now, look at the date when the email was relayed through the alleged LinkedIn server: Mon, 22 Aug 2011 09:05:39 +0530. That date is almost 12 hours in the future from when my email server in the USA received the message. I ran a look-up of timezones and found that +5:30 belongs to India. That coincides with the IP address of the Received From line at the beginning (which is the final email hand-off). That proves that the message did indeed come from India and was not associated with any Facebook email servers in the USA, or anywhere else.

More...

Continue reading "Beware Fake Facebook Friend Requests, Leading to Malware" »

Posted by Wiz at 2:03 AM | Permalink

back to top ^

This week I am changing the nature of my spam report. In all previous articles, I used the "Statistics" from MailWasher Pro, version 6.x. However, this past week I switched to the latest version of MailWasher Pro: 2011. At this time it lacks a "Statistics" readout, so I have compiled my own stats. They reveal some interesting facts about this week's email spam.

The first thing I learned when going over the spam categories, in the MailWasher Pro Recycle Bin, was that the overall volume of spam is way up from last week. For the week ending on August 14, 2011, the total amount of spam received was 128. This week, ending August 21, the total was 175, as of the time I wrote this. Without an exact stat report, I am guesstimating that this represents about 33% of my total email this past week. That would make it about 5% more than last week.

Of these 175 spam emails, 169 were identified by my custom spam filters. Six more were classified as spam manually and inputted into the learning filter, for future detections. The majority of spam was 44 messages touting fake Cialis. This was followed by 24 for counterfeit watches. Next in line was 15 emails promoting male enhancement herbs, then 13 each for weight loss drugs (illegal to import, or use without a face to face prescription; HGC drops) and finally, malware infected botnet Trojans inside zipfiles claiming to be invoices, delivery notices, etc.

Other lesser categories of spam included: Fake Diplomas, Lotteries, African senders, 419 scams, foreign language spam, miscellaneous pharmaceuticals, pirated software, Viagra, known spam domains and subjects, ISO encoded subjects, and my blocked countries filters.

The last major category, the infected zipfiles, are part of a huge attack that has been ongoing for three weeks in a row. Bot Herders, having lost control of millions of zombies, when Microsoft, FireEye, the DOJ and other security research companies decapitated the Bredolab (in October 2010), Coreflood, Rustock, Waledac and other spam-spewing botnets this year, are hard at work rebuilding their armies of robotic malware slaves. Their most successful weapon seems to continue to be exploiting the weakest link in the chain of infection: Human Curiosity. Send out a gazillion spam messages about a pending, or failed delivery. or an alleged speeding ticket, or failure to process an IRS refund or tax form, and thousands of curious, gullible people will open the attached zipfiles to see what the fuss is all about. Poof: they are botted!

More...

Continue reading "My Spam analysis & filter updates for the week of Aug 15 - 21, 2011" »

Posted by Wiz at 3:36 PM | Permalink

back to top ^

This week I saw an increase in the amount of spam hitting my inbox. The percentage of spam was up 7% from the previous week. Actually, the greatest volume of spam occurred from Thursday through today. It was on August 11 that a giant spam run began with malware infected attachments, in scam emails claiming to be from the IRS and UPS.

Due to the huge influx of malware laden attachments in fake IRS ("could not process your return/refund") and UPS ("your package delivered ... print out invoice") messages, the top category last week was Zip file attachments, which led by more than double the amount of the runner up: male enhancement. While the enhancement and enlargement spam is a nuisance, the ones pretending to come from the IRS and UPS were downright dangerous. They contain botnet and key logging Trojans in zip files.

This past 7 days, spam for various types of unsolicited commercial email (UCE) amounted to 28% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from Aug 7 - 14, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam: 28%; +7% from last week
Number of messages classified as spam: 128
Number classified by my custom spam filters: 122
Number and percentage of spam according to my custom blacklist: 3
Number classified as spam by the Bayesian Learning filter: 0
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 1
Number of spam messages seen, reported to SpamCop & manually deleted: 52

The actual percentages of spam by category follow below.

Continue reading "My Spam analysis & filter updates for the week of Aug 7 - 14, 2011" »

Posted by Wiz at 4:39 PM | Permalink

back to top ^

This week finally gave me some measurable decline in the amount of spam hitting my inbox. The percentage of spam is down 6% from the previous week and the actual volume is down by even more. This is a reflection of the decline in revenues from spamvertised products and in the recent closure of several spam affiliate payment processors.

As for the top categories of spam, Male Enhancement took first place, followed by counterfeit watches, then fake Viagra, Cialis, weight loss drops, and other scams. There are still a considerable number of bogus diploma spams coming in, so some people must be stupid enough to purchase these worthless documents.

I see a repetitive pattern in certain types of spam, mostly for fake diplomas. The subjects are "RE: Hello" - "RE:Re:Hello" - "RE: RE:News" and similar. My Diploma and other existing filters pick them off based on the body text, with zero mistakes.

This past 7 days, spam for various types of unsolicited commercial email (UCE) amounted to 21% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from Aug 1 - 7, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam: 21%; -6% from last week
Number of messages classified as spam: 85
Number classified by my custom spam filters: 75
Number and percentage of spam according to my custom blacklist: 3
Number classified as spam by the Bayesian Learning filter: 0
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 1
Number of spam messages seen, reported to SpamCop & manually deleted: 13

The actual percentages of spam by category follow below.

Continue reading "My Spam analysis & filter updates for the week of Aug 1 - 7, 2011" »

Posted by Wiz at 1:28 PM | Permalink

back to top ^

Since June 22, 2011, I have written 6 articles highlighting Romania as a source of spam attacks and hosting of spamvertised domains. This is my 7th article in 6 weeks, exposing badness coming from Romania, targeting North Americans.

Tonight, while minding my own business, I received an email from an outfit called OTC Pundit (dot com). The subject was: "Food is the New Oil" and the body had little text, but did have a link to an image file.The link was instantly suspicious to me, because it was a numeric link, rather than a named domain. Knowing that this was spam, I exposed the source code in MailWasher Pro. The HTML content revealed that this spam was supposed to look like a news letter of sorts.

The Received From line showed that the email came from the IP address: 89.238.231.135. It contained a link to a file and that link also contained the same IP address. I traced the link with my diagnostic tools and it turns out that 89.238.231.135 belongs to a Romanian web host: EUROWEB Romania, whose entire CIDR is 89.238.192.0/18. That CIDR is already on my Russian Blocklist. I then went back to the source code of the spam message and copied the link, which was to a .jpg image file. I looked over the source code of that link, using WannaBrowser and found that no exploits were attached to it. So, I dropped the URL into my Firefox browser, using the NoScript Add-on for safety.

The image turned out to be a whole page ad for an upcoming pump and dump stock scam. It uses the words Food Is The Next Oil and speaks about food shortages and how investors can profit from other people's misfortune and famines. This is truely a slimeball spam campaign!

The IP address I listed is the IP of a website registered in Romania: otcpundit dot com. It uses rohost.com name servers, as well as those of a marketing company that is on the same Romanian server. The domain was registered with on Feb 2, 2011.

I have taken the following steps to protect my friends from falling for any scams coming from that company: The domain OTC Pundit has been added to the Known Spam Domains filters for MailWasher Pro and the CIDR 89.238.192.0/18 can be added to your email server firewall, if you have root access to administer Linux firewall rules. If you are on shared web hosting you can see if you are able to create a rule to re-route email containing "otcpundit.com" in the entire header, to NULL. If you are not receiving email via your own domain, but through a third party email system, via your browser, you are at their mercy to filter email for you. If you get your email via a POP3 desktop program, like Windows Live Mail, you can use MailWasher Pro, with my custom filters, to filter out spam before it gets downloaded to your email client.

Bottom line: Delete all email messages coming from any variation of OCT Pundit, or Emp-Marketing, or anything with words similar to Food is the Next Oil in the subject or body text. These are pump and dump penny stock scams in the making. Also, 99.99999999% of email that contains a numeric IP address, rather than a domain name and extension, is a link to fraud, or malware. An example of such a URL is: http://123.456.789.0/otherwords-or-characters. Delete all numeric IP link emails on sight. I have a filter for MailWasher Pro that detects numeric IPs in links.

In this case, of image spam, the link ended with .jpg; an image type. However, one cannot assume that the server at the other end will actually deliver an image. It could have been configured to serve an executable exploit instead of an image. Learn how to walk safely through mine fields before you play in them. Browse using Firefox, with the NoScript Add-on enabled. Use WannaBrowser or another text only browser to look at the source code of web pages, before attempting to load those pages, or image files. WannaBrowser will reveal the IP address of any website it can display in the Source field. You can copy that IP address and paste it into the IP Whois field in Domain Tools, or one of my favorites, CQCounter, or any other Whois Look-up site. This reveals where it it hosted, when it was registered, and who is the official domain Registrar.

In the 15th Century, the Romanians gave us the legend of Count Dracula, a.k.a: Vlad Dracula. He sucked the life blood out of his unfortunate victims. Modern day Draculas suck the life savings out of their online victims, by means of spam and scams for useless products and offerings, scripted browser exploits and money laundering schemes.

Stay thirsty my friend! But, avoid the modern day Count Draculas; the money sucking vampires.

Posted by Wiz at 9:33 PM | Permalink

back to top ^

On July 27, 2011, I published a blog article about blog spam scripts running on Ubiquity Servers. For several days those POST attempts from Ubiquity IP space disappeared. They returned today, leading me to a most interesting discovery about the source.

Let me show you how I find information about access log spam attempts and deal with them.

In today's first blog spam attempt, an unknown visitor, with the IP address 108.62.150.52, attempted to POST a trackback comment to my Movable Type blog. If the POST was made by a real person, and if that person understood and read the English language, he or she would have read the bold notice that my blog does not accept either comments or trackbacks.

Of course, if the POST was made by a script, it would neither see that notice, nor care about it. Similarly, if the POST was being attempted by somebody in a very foreign country, in say Romania, they would not understand the text in notices I post on every page, regarding no trackbacks allowed. And from where did this POST originate? Romania!

Here then, without any ado, is the chain of evidence linking a blog spam attempt to Romania, from whence a huge amount of spam and online exploits have been traced.

Continue reading "Evidence linking Romanian spammers to Ubiquity Servers" »

Posted by Wiz at 3:21 PM | Permalink

back to top ^

This week, my incoming spam level dropped 1% from last week. Viagra and Cialis spam regained the top position, with Male Enhancement and various Pharmaceuticals filling positions 2 and 3. Diploma spam has almost doubled since last week and many spam templates are using URL shorteners to hide the destination.

For the last two weeks, Spammers have been using a new template that adds huge amounts of space-bar spaces between the spam words in the plain text source code. This is done to evade spam filters. This is followed by HTML content that is identical. However, when HTML is rendered, only one space is shown between words, making the actual spam message readable by a Humans. I have created and published new custom filters for MailWasher Pro users, which easily detect and block this type of spam, whether for diplomas or drugstores.

This past 7 days, spam for various types of unsolicited commercial email (UCE) amounted to 27% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from July 24-31, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam: 27%; -1% from last week
Number of messages classified as spam: 122
Number classified by my custom spam filters: 112
Number and percentage of spam according to my custom blacklist: 9
Number classified as spam by the Bayesian Learning filter: 0
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 0
Number of spam messages seen, reported to SpamCop & manually deleted: 21

The actual percentages of spam by category follow below.

Continue reading "My Spam analysis & filter updates for the week of July 24-31, 2011" »

Posted by Wiz at 3:38 PM | Permalink

back to top ^

On July 30, 2011, at 13:29 EST, I reported a spam email for illicit pharmaceuticals, via SpamCop. Just over one hour later, at 14:36, I received notice from the web host responsible for the spamvertised domain, that they had suspended that account. Their notice included my SpamCop report, in its entirety. The domain had a .RO extension, signifying Romanian.

The reason I got such a fast and pleasant result was because the hosting company for that .RO domain is not actually located in Romania, where the SpamCop complaint would have fallen on blind eyes, but in Great Britain. My sincere thanks and shout out goes to the admins at UK2.NET, for quickly terminating the spam domain: oil-shop.ro.

To be certain, I ran the spam domain name through WannaBrowser and sure enough, it delivered a 302 redirect to the web host's home page. The spamvertised website was indeed removed!

This is at least the 6th spam domain I have helped get terminated, in the past month or so. It does pay to report bad actors and spammers. There are hosts and registrars out there who don't turn a blind eye to abuse reports. I am finding more every time I file abuse reports.

Every spam or website abuse report counts. ISPs, hosts and registrars are listening, in growing numbers. Let your complaints be heard. Join SpamCop and submit spam emails as soon as you see them. The faster spam is reported, the sooner action like this can be taken by those who hold the ends of the plugs in their hands. It's up to us little guys, the targets of spam and scams, to report this abuse to those responsible, so that they can pull the plugs on the domains and spamming customers under their control.

FYI: I use MailWasher Pro to intercept, identify, report and delete spam email, before it can be downloaded to my desktop email client: Windows Live Mail 2011. I have an entire page describing MailWasher Pro. I even write and share my own spam filters, which are used by MailWasher.

Posted by Wiz at 3:43 PM | Permalink

back to top ^

In 2009 I wrote about trackback spammers using scripts they have installed on servers owned by Ubiquity Server Solutions and Nobis Technology Group before. After 1.5 years they still haven't cleaned up this abuse. It seems that every day or two I see numerous POST attempts to my blog, which are either comment or trackback spam.

I'd like to let the people installing these scripts targeting my blog know, that in my case, their efforts are futile. That is because I run a Perl based Movable Type blog and these spam scripts assume that the target is running on a more common, but less secure, PHP driven blog, usually Wordpress.

It appears that if one uses WordPress as their blog software, a simple POST command is sufficient to post comments or trackbacks to that blog page. Not so with Movable Type! With MT, one must visit a particular scripted page to submit a comment or a trackback. Not only must they have valid credentials to submit, but anything submitted is held until the owner of the blog approves that submission. It goes without saying that nobody in his or her right mind is going to approve spam comments or trackbacks!

I take matters one step farther: I do not accept either comments or trackbacks on any of my blog articles. It says so right at the top of every page on this blog. Yes, I have the scripts installed to do comments and trackbacks, but, they are disabled in the Dashboard. I can't even comment om my own posts. If the time ever comes where I feel like allowing public comments, it will only be from people holding approved credentials and then, all comments would be held for moderation. Nothing would ever get posted that was in any way spammy!

This brings me back to the title of this article. A majority of the failed attempted spam comments and trackbacks are emanating from IP space under the control of Ubiquity Server Solutions. In the last few days I have logged several attempts coming from various IP addresses covered by the following CIDR ranges: 173.234.124.0/22, 173.234.172.0/22 and 173.234.184.0/22. All of these CIDRs are part of the entire Class C network assigned to Ubiquity and Nobis: 173.234.0.0/16.

Note: This CIDR is not the only one assigned to Ubiquity Servers. They hold several other ranges.

So, they're spamming your blogs ... Let's block them from your Apache hosted websites...

Continue reading "Blog spam scripts still running on Ubiquity Servers" »

Posted by Wiz at 4:29 PM | Permalink

back to top ^

This week, my incoming spam level was just 1% lower than last week. However, the types of spam have begun to change in order of percentages by category. Some previously strong categories have dropped way down as spammers find them unprofitable.

Spammers are using a new template that adds huge amounts of spacebar spaces between the spam words in the plain text source code. This is followed by HTML content that is identical. However, when HTML is rendered, only one space is shown between words, making the actual spam message readable by a member of the Human Race. Writing a filter for this trick is trivial. I already have one for Diploma Spam using the multiple spaces and am in the process of creating another for pharmacy spam.

This past 7 days, spam for various types of garbage amounted to 28% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from July 17-24, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam: 28%; -1% from last week
Number of messages classified as spam: 124
Number classified by my custom spam filters: 115
Number and percentage of spam according to my custom blacklist: 5
Number classified as spam by the Bayesian Learning filter: 0
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 4
Number of spam messages seen, reported to SpamCop & manually deleted: 22

Continue reading "My Spam analysis & filter updates for the week of July 17-24, 2011" »

Posted by Wiz at 2:41 PM | Permalink

back to top ^

Lately I have been seeing spam that uses my first name or nickname in the subject and message body. The majority of these spam messages are for work at home scams. The last time this happened it came from a compromised Hotmail account belonging to a friend. The email came from that Hotmail account and was composed by spambots that had taken over the account after guessing or stealing the password.

The new spam that contains my first name or nickname is not coming from Hotmail, nor is it going to a Hotmail account. This behavior was predicted a month or two ago, after hackers broke into numerous email databases and stole usernames, real names and email accounts associated with them.

I am revealing this now to protect my readers from being tricked into clicking on links contained in emails that address them by their personal or nick names. It used to be that only trusted contacts had our actual names, but, that has changed this year. No email addressing you by name can be trusted 100% until you verify that it really came from the sender it claims to be from. Furthermore, some spam addressing us by our names doesn't pretend to come from known senders. It uses your name to get you to read the contents and click on the links without second thought, as though sent by some forgotten friend or contact.

If you receive an email message that refers to anything work related, but doesn't positively come from someone you would expect to send you such a message, it is possibly a scam. Watch for keywords related to working at home, making more money, or anything involving money or work.

With so many people out of work and looking for jobs online, work at home scams are rampant. Most I have examined have a link to a fake website that looks like a television station news site. They include seeming positive reviews from happy people who supposedly used their method. However, everything on those websites is bogus. They are created from templates distributed by criminal spammers, placed on botted PCs, or hosted by spam-friendly web hosts in places like China, Romania, Russia and Serbia. You are asked to pay for materials and leads that may never arrive.

Whether you receive anything in the mail or not, your personal legal name, address and credit/debit card information will go into a database maintained by criminals who are in the money laundering business. Later on you may be contacted by members of these cyber crime organizations and be solicited for a "Money Mule" position. Money Mules are typically people who are tricked thinking they are performing a paying work at home job for a legitimate company. Many are used as a one-time conduit to process stolen funds that are deposited into their bank accounts, after which they send them on to a foreign recipient, then await the promised commission - which often never arrives.

What the Mules don't (usually) know is that the money they are processing was stolen by a Zeus or SpyEye Trojan - that was planted on a computer that was used to conduct financial transactions by innocent employees of small, medium and large size companies. Once the theft is noticed and reported to authorities, the Police follow the money, directly to the Mule used to transfer it out of the Country. Then they come for YOU!

Money Laundering is a Federal crime in the US and Canada. Money Mules are usually caught and prosecuted, then fined and sometimes imprisoned, for participating in these scams, whether knowingly or unknowingly. Don't fall for Work At Home scams, or money transfer "jobs" offered by online companies, or unsolicited email.

A good email spam filter can identify work at home and money mule scams before you are tricked into opening the email in your desktop email client. I happen to write spam filters for one of the foremost desktop spam detection applications in the World: MailWasher Pro. My custom spam filters detect most work at home and money mule come-ons and flag or auto delete them.

Posted by Wiz at 4:30 PM | Permalink

back to top ^

This week my spam percentage has increased slightly, to 29%, up 2% from last week. The subjects are exactly the same as they have been for the last year. Spammers are still pushing bogus male enhancement herbals, like the MaxGentleman, Chinese replica watches, counterfeit Cialis and Viagra, various illicit prescription pharmaceuticals, HCG weight loss scams, lottery and work at home scams.

Pharmaceutical spammers are still hosting their websites in Romania and are still using mostly .RU domains (Russian). All are advertising that they sell prescription drugs without the required prescription. Some are still falsely claiming to be "non-USA licensed pharmacies" - of which there is no such thing. The drugs they sell are counterfeit and both dangerous and unlawful to import into the USA or Canada.

This past 7 days, spam for various types of garbage amounted to 29% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from July 10-17, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam: 29%; +2% from last week
Number of messages classified as spam: 117
Number classified by my custom spam filters: 104
Number and percentage of spam according to my custom blacklist: 6
Number classified as spam by the Bayesian Learning filter: 0
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 1
Number of spam messages seen, reported to SpamCop & manually deleted: 19

Continue reading "My Spam analysis & filter updates for the week of July 10-17, 2011" »

Posted by Wiz at 3:37 PM | Permalink

back to top ^

It appears that my spam percentage has stabilized at about 27%, plus or minus a few points. The subjects are exactly the same as they have been for the last year. Spammers are still wasting their money spamvertising counterfeit Cialis and Viagra and pushing bogus male enhancement herbals, like the MaxGentleman aka Dr. Maxman and various illicit prescription pharmaceuticals without the required prescription. Knockoff Chinese watches, weight loss herbs, loansharks, and Nigerian advance fee fraud round out the field.

The majority of this week's pharmaceutical spam was for various incarnations of the fake "My Canadian Pharmacy," et al. The domains are all owned by Russians, using cheap domain Registrars in Russia, Czechoslovakia, and other parts of the former USSR, as well as some from a dis-accredited Registrar in Australia. Almost all of the current fake pharmacy domains use either Russian or Chinese Name Servers. At least half of the links in the spam messages for these pharmacies are to .RU (Russian) domain websites, many of which are now hosted by spam friendly hosting companies in Romania.

This past 7 days, spam for various types of garbage amounted to 27% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from July 3 - 10, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam: 27%; +1% from last week
Number of messages classified as spam: 124
Number classified by my custom spam filters: 116
Number and percentage of spam according to my custom blacklist: 6
Number classified as spam by the Bayesian Learning filter: 0
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 1
Number of spam messages seen, reported to SpamCop & manually deleted: 7

Continue reading "My Spam analysis & filter updates for the week of July 3-10, 2011" »

Posted by Wiz at 1:57 PM | Permalink

back to top ^

Most people who see an obvious spam email message, based on the "Subject" or "From" fields, just delete it on sight. I often go one step further and examine the normally hidden source code. This gives me an insight into some tricks employed by criminals to get their spam messages past the spam filters used by many ISPs and email providers. This helps me to develop new, or modify existing spam filters that I publish for MailWasher Pro users.

I have seen many changes in spam composition tactics over the years I have spent fighting spammers. One trick that used to be prevalent a few years ago is making a big comeback right now. That is the use of "ISO Encoding" for the Subject, From and sometimes other fields in the normally hidden email headers. This type of encoding has legitimate uses and senders (like Yahoo), so don't rush to premature conclusions and block everything containing an ISO subject.

What is ISO encoding and why do spammers employ it as an evasion tactic?

ISO is the World-wide International Organization for Standards that establishes common standards for all manner of interoperable systems that are used around the World, to allow them to interact with one another. This includes the standards of email systems and the coding used in email messages. One of the email standards established and defined by ISO is the email header "Codepage" encoding system. This system is used to tell an email client (program/reader) what language the message is written in and how to render the contents when it is opened.

The default Codepage system used in English language email messages is known as ISO-8859-1. It corresponds to the "Latin-1" and "Windows 1251" character sets. If an email is composed without any declaration of Codepage, and is sent through a mail servers assigned to Western languages, it is automatically displayed in English, using the default display of the user's computer.

Since email composed in one language locality is frequently sent to recipients with a different language and alphabet, senders can specify that they are asking those messages to be displayed in the language and alphabet of the recipients. This is where the use of ISO encoding in the email headers comes into play. It is used frequently by International companies in email blasts to numerous recipients around the Globe.

Spam email also benefits from ISO encoding. Here's how:

Many free email systems, like Microsoft's Hotmail, are plagued with "bots" used by spammers to break security challenges (e.g. CAPTCHA), open new free mail accounts using bogus information, then send out spam blasts to the recipients listed in spam databases. They spammers may get only one or two successful spam runs before they trigger alarms at the email provider and the account gets shut down. But, to ensure that the spam actually gets out at all, they have to make sure it isn't blocked by the outgoing email server's spam detection filters. In English speaking Countries, the default spam filters are written in English and match English language words and phrases.

Spammers using these free email providers have learned that one of the easiest ways to avoid having spam messages blocked by outgoing filters is to not use English words and phrases in the From, Reply, or Subject fields. Instead, they are resorting to the use of ISO encoding tricks. The outgoing spam filters look at the hidden headers and well as a snippet of body text, looking for significant matches. Many incoming mail servers also use the same spam detection systems. By using ISO encoding in the From and Subject, one can sneak spam words past many common spam filters.

Once these messages arrive in recipients' inboxes, their email program ("client"), or web-mail browser, translates the ISO codes into the language specified in the Codepage declaration. In the case of ISO-8859-1, the displayed words will be in standard American English. The recipient does not see any of the coding tricks, just the decoded letters and words. The message slipped past anti-spam filters at the sending end and at the receiving email server, both of which look at the headers first and then so many lines of the body text.

Most of the ISO spam messages also use ISO or other encoding tricks, gibberish (salad words) and non-displaying text hidden inside html style tags, in the beginning of the body, moving the actual spam words and links way down, past where most commercial spam filters give up.

If you want to learn more about the use of ISO encoding, as it pertains to spam filters and email, read my extended content.

Continue reading "Spammers are using ISO encoding, in Subject and From, to evade spam filters" »

Posted by Wiz at 1:41 PM | Permalink

back to top ^

Today I traced a spam email claiming to be a message from Facebook Support, with the subject: "Facebook Support has sent you a message." The spam was sent through a hijacked email server belonging to an NTT owned Verio Web Hosting customer's account. The link in the fake Facebook button led to a fake Canadian Family Pharmacy website, hosted in Bucharest, Romania.

This is a known rogue online pharmacy that is part of a huge spam operation run by a Russian spam affiliate program called Eva Pharmacy, which grew out of Bunker.biz. The people behind this spam operation are a tight-knit group of criminals known as Yambo Financials, based in the Ukraine.

The domain name used in the spam run uses JavaScript redirection to take you to the actual website, which, although it claims to be the "Canadian Family Pharmacy," uses the domain name (this time): medicarerxdrugstore.com. A Whois lookup of that domain reveals that it was registered on April 18, 2011, by someone claiming to be (or using stolen identity of) Ekaterina Nevzorova; ul. Turgeneva d.110 kv.19; Krasnodar; Krasnodarskiy kray,350000; Russia.

Clicking through the link in the fake Facebook message leads one to 188.229.97.110, which is a Romanian web host, shown below.

Input URL: http://medicarerxdrugstore.com
Effective URL: http://medicarerxdrugstore.com
Responding IP: 188.229.97.110

Host 188.229.97.110
Location RO RO, Romania
City Bucharest, 10 -
Organization SAFE TELENET SRL
ISP SAFE TELENET SRL
AS Number AS50068 SAFE TELENET SRL

The web page that was displayed claimed to be the Canadian Family Pharmacy, with an address near the bottom of the page, claiming to be: 913 Montreal Road, Ottawa, ON, Canada. This is a non-existent address that has been used since at least 2009 by the same Yambo and Bunker.biz cybercrime gangs to advertise their various fake pharmacies. Everything about the pharmacy is fake, including the drugs they sell, which are produced in counterfeiting factories in India and China.

If you receive an unexpected email claiming to be from Facebook Support, hold your mouse pointer over the link or button (labeled See All Messages, or similar). You will see the actual destination in the status bar on the bottom. If your email client or browser lacks a status bar, hover over the link and right-click, then select Copy Link Location. Open Notepad, or your preferred text editor and paste the link into a new blank document. You will see that the URL does not lead to anything.facebook.com/, but, to either a weird domain name, or a numeric IP address. The message I traced had the numeric IP address: 200.58.119.150, that was for a hijacked computer in Argentina.

I pray that none of my readers will fall for this, or any other fake online pharmacy, whether they claim to be Canadian, American, or from The Borg Collective. They are fake, selling counterfeit drugs and are run by master criminals in the former USSR. If you actually do receive the items you paid them for, you are getting counterfeits, with God knows what ingredients and dosages. Contact your bank, or credit card issuer and request a refund, based on fraud and request a new debit or credit card number (criminals have the card number used to make your purchase on file).

See my Spam Issues articles for more expose's about fake pharmaceuticals spam and the Romanian and Russian connections to most of it.

Posted by Wiz at 1:58 AM | Permalink

back to top ^

Spam levels are continuing to decline, at least in my email accounts. This time last year, my percentage of spam email was 56%. This week, this year, it measured just 26%. That is a 54% decline in 12 months. The spam detected and deleted by MailWasher Pro was mostly for bogus male enhancement pills, which led by a 2:1 margin over other types of pharmaceutical and weight loss scams. Counterfeit watches and Nigerian lottery scams had measurable percentages.

I managed to trace several spam domains with the Russian .RU and some .COM TLD's to Romanian web hosts. Additionally, the SpyEye/Zeus Trojan Tracker, at Abuse.ch has traced down several SpyEye command and control servers to a Romanian hosting company. From Count Dracula to the Zeus and SpyEye Trojans, to fake pharmaceuticals and male enhancement scams, the Romanians have it all covered, with help from Russian Botmasters and master spammers. It is Russian and Romanian spammers who are paying to register and host hundreds of throwaway domain names, used in bot-sent spam blasts, promoting all manner of fake and illicit pharmaceuticals and herbals and exploits.

There was a measureable uptick in the amount of email containing direct links to exploit websites. My "Exploit Link" filter detected and deleted them all (see info on my custom MailWasher Pro filters, further down). Most led to the Zeus or SpyEye bank credential stealing Trojans.

Despite the fact that the volume and percentage of spam is declining right now, the threats contained in what is being sent are becoming more dangerous all the time. More and more spam is being sent after recipients identities are researched by spammers, who buy stolen IDs after break-ins of big company member databases. Others use password breakers to steal weak login credentials to free email systems, then send out spam targeting the entire contact list of the people who own those compromised email accounts. This happens constantly to Hotmail users.

You may have already received spam and scams targeting you by your personal or nickname. Therefore, effective email protection is required to protect your computers, your money and your data. MailWasher Pro is the program I use to detect and delete spam and email-borne security threats. My spam statistics are obtained from the program, showing how effective it is as a spam fighting tool.

This past 7 days, spam for various types of garbage amounted to 26% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from June 26 - July 3, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam: 26%; -1% from last week
Number of messages classified as spam: 114
Number classified by my custom spam filters: 104
Number and percentage of spam according to my custom blacklist: 6
Number classified as spam by the Bayesian Learning filter: 0
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 1
Number of spam messages seen, reported to SpamCop & manually deleted: 11

Continue reading "My Spam analysis & filter updates for the week of June 26 - July 3, 2011" »

Posted by Wiz at 2:45 PM | Permalink

back to top ^

Regular readers of my blog articles - about security matters - know that I write a lot about spam issues. Spam is a major source of security exploits. But, some of it exploits human foolishness and could compromise your health, as well as you bank account.

I am referring to the spam for pharmaceuticals, most of which are totally counterfeit and often dangerous to your health. Many pill pushing spam links now lead to Russian websites, hosted in Romania. The latest spam run I intercepted today, pushing male enhancement pills, has a plain text link to a domain ending in .RU (a Russian domain extension). The domain is hosted at, 188.229.95.27, which is located in Romania.

Spamvertised URL: maxpenisenergy.ru
Resolves to 188.229.95.27

Host: 188.229.95.27
Location: RO - Romania
City: Bucharest
Organization: SC Techomet SRL
ISP: Netserv Consult SRL
inetnum: 188.229.95.0 - 188.229.95.255
route: 188.229.95.0/24
descr: TECHOMET
origin: AS56860

I looked into the AS56860 server (AS = Autonomous Server) and found it listed as a fraud / scam server, on MalwareURL, with 32 domains listed. All of them promoting counterfeit pills, watches or HCG. Four of its 32 domains are the name servers used to direct traffic from spam recipients to rotating destination URLs.

I checked my Russian Blocklist and found that I already had the nearby Romanian CIDR 188.229.94.0/24 on the .htaccess and iptables blocklists. Rather than add another entire CIDR, I merely changed the multiplier from /24 to /23. This encompasses every IP from 188.229.94.0 - 188.229.95.255. All of these IPs are in Romania; owned by SC Techomet SRL. The new range: 188.229.94.0/23 - is already uploaded.

If you want to block Russian and neighboring Countries from accessing your websites, on shared hoisting servers, check out my Russian Blocklist, in .htaccess format. To block them from mail servers, or ftp sites will probably require the use of the Russian iptables Blocklist, for Linux Personal Firewalls. Only persons with root access can apply the iptables rules. Everyone else must use the .htaccess version. This only works on Apache servers, based on the Unix or Linux operating systems.

Posted by Wiz at 4:05 PM | Permalink

back to top ^

This week's spam levels have remained at about the same level as last week. The majority of spammers are trying to sell counterfeit pharmaceuticals and replica watches, followed by weight loss herbs, male enhancement gimmicks, fake Viagra, and some Nigerian lottery and 419 scams. The various percentages of spam, by category, are listed in my extended comments.

This past week saw a continuation of the previously dead and buried Canadian Pharmacy scams. However, spammers are affiliates of various fake pharmacy programs. They pay Bot Masters to lease the use of zombie computers making up spam botnets. Spammers expect to be paid for the traffic they drive to the fake pharmacies. It so happens that the co-founder of one of the remaining major spam payment processors, Chronopay, has been arrested in Russia. Directly related to his arrest, several affiliate payment systems related to his RX-Promotions spam business are going offline (details to follow soon).

Canadian Pharmacy is one of the spam programs created, managed and paid for in Russia. I expect to see a big drop in all variations of Canadian Pharmacy spam, in the next week or so. No pay, no spam!

Despite fluctuations in volumes of junk email, spam is still going strong. It's not just nuisance messages you need to look out for. There are many critical security threats contained in attachments and links to exploit sites, which are designed to infect your computers with malware. Keyloggers, disguised as Flash upgrades, missing codecs, scanned documents, or resumes in attachments, silently log your keystrokes when you log into your online bank, or PayPal, or your website control panel, stealing your credentials, then you money or company secrets. Therefore, effective email protection is required to protect your computers, your money and your data. MailWasher Pro is the program I use to detect and delete spam and email-borne security threats. My spam statistics are obtained from the program, showing how effective it is as a spam fighting tool.

This past 7 days, spam for various types of garbage amounted to 27% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from June 19-26, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam: 27%; +1% from last week
Number of messages classified as spam: 119
Number classified by my custom spam filters: 115
Number and percentage of spam according to my custom blacklist: 2
Number classified as spam by the Bayesian Learning filter: 0
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 1
Number of spam messages seen, reported to SpamCop & manually deleted: 15

Continue reading "My Spam analysis & filter updates for the week of June 19-26, 2011" »

Posted by Wiz at 4:31 PM | Permalink

back to top ^

Today, MailWasher Pro automatically deleted 3 spam emails that were matched by my "Pharmaceuticals" filter, for an online pharmacy. What was different was that they were advertising that the drugs would be shipped C.O.D., via FedEx Courier Service. The words "FREE Rx" were included in both the Subject and Body text.

Here is an excerpt from one of the restored spam messages:

Get FDA approved meds from a US licensed pharmacy. FedEx overnight shipping. No Prior Prescription needed.

Cash On Delivery.. pay to courier guy when your product arrive!

I hope none of my readers will fall for this trap. This is an illegal operation. US Citizens, residing in the USA, cannot import prescription drugs into the USA, by foot, car, truck, motorcycle, boat, airplane, satellite, balloon, mail or courier, from other Countries, with or without a prescription! Read the following excerpt from HealthInsurance.About.com:

Can I Bring Prescription Drugs I Buy in a Foreign Country into the U.S.?

The FDA regulates prescription drugs made in the U.S. Under federal law it is illegal for anyone except a drug manufacturer to import prescription drugs into the U.S.

Additionally, the FDA does not allow the re-importation of medications. For example, if a drug company makes an FDA-approved prescription drug and sends that drug to a pharmacy in Canada, it is against the law for you to buy that drug in Canada and bring it back into the U.S.

It is against the law, in the USA, to purchase Federally controlled substances, like prescription and Schedule 4 drugs, anywhere, without a valid prescription. Therefore, the spam message quoted in the beginning of my article is promoting an illegal activity. Any Courier service who delivers illicit prescription drugs to a US location, is acting as an accomplice, whether they know the contents or not. If a FedEx driver does indeed deliver illegal to import drugs to you, in the USA, and collects money from you, both of you are violating US FDA laws. This is a Federal offense, punishable by hard time in prison and a huge fine (see my extended comments about penalties).

In my extended comments I will show you where these emails come from and where the supposed "US licensed pharmacy" is really located.

Continue reading "Don't be fooled by spam for drugs sent COD via FedEx" »

Posted by Wiz at 2:01 PM | Permalink

back to top ^

On June 15, 2011, I wrote a blog article about the re-emergence of the previously killed off Canadian Pharmacy scams. When I published that article I also filed a spam report against the domain named used in the link in the spam email I received, with their Registrar of record. Two days later the domain was suspended for violating the Registrar's terms of service.

Tonight I received two more identical spam emails, with two different domains in the links, promoting a Canadian Pharmacy selling the same Anti-ED drugs. I have filed a report with the Registrar of record, nameregistrars.net, for the first one: eumbyhojbu.com. The second domain link was for: gffbn.ru. This is a Russian domain. The only information I can find on it is that it leads to the same IP address as the previous two spam links did. All of these fake Canadian-Pharmacy/My Canadian Pharmacy links are redirected to a rogue pharmacy website hosted on a Romanian PC or server (at 194.50.7.208), running a Russian Nginx web server.

Notably, all of these spam emails use hidden ISO codes in the From and Subject fields to evade spam filters. Your email client is happy to translate them into the names of the pharmacy and illicit drugs they are selling.

As was the case with the previous fake pharmacy landing page, this one uses a variety of Chinese and other Botnet sources to assemble the images used to fool people into believing it is a legit pharmacy. It is all snake oil and octopus juice. This is a fake pharmacy, hosted in Romania, using Russian Name Servers. The PCs used to deliver the spam emails for it are part of a world-wide spam botnet.

Do not believe anything found in the emails promoting these fake Canadian Pharmacy websites. Never buy anything from those sites. You will be handing over your credit or debit card details to Russian spammers and criminals. If you ever receive the illegal drugs you ordered, they will be counterfeit, made in Asia. They may harm or kill you. If you are lucky, you'll never receive them at all. Better to be out a few hundred bucks than pushing up daisies from OD-ing on fake Viagra laced with Melamine!

Posted by Wiz at 12:52 AM | Permalink

back to top ^

After decreasing last week, this week's spam levels have remained at the same level. The majority of spammers are trying to sell counterfeit replica watches, followed by illicit prescription pharmaceuticals (sans the req'd prescription), male enhancement herbs, fake Viagra, weight loss drugs and even some Nigerian 419 scams. The various percentages of spam, by category, are listed in my extended comments.

This past week saw a return of the previously dead and buried Canadian Pharmacy scams. This time, the spam sender uses the name "Canadian-Pharmacy" and the faked destination website says "My Canadian Pharmacy." Other than the addition of "My," the rest is identical to the old websites. They are still hosted on botted PCs, controlled by Russian spam gangs and Bot Masters. The landing pages include logos with links to alleged Accreditation sources, all of which all go right back to the same fraudulent web page, on the botted PC. I wrote a full analysis of this new Canadian Pharmacy scam in a recent article.

Despite fluctuations in volumes of junk email, spam is still going strong. It's not just nuisance messages you need to look out for. There are many critical security threats contained in attachments and links to exploit sites, which are designed to infect your computers with malware. Keyloggers, disguised as Flash upgrades, missing codecs, scanned documents, or resumes in attachments, silently log your keystrokes when you log into your online bank, or PayPal, or your website control panel, stealing your credentials, then you money or company secrets. Therefore, effective email protection is required to protect your computers, your money and your data. MailWasher Pro is the program I use to detect and delete spam and email-borne security threats. My spam statistics are obtained from the program, showing how effective it is as a spam fighting tool.

This past 7 days, spam for various types of garbage amounted to 26% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from June 12-19, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam:26%; 0% from last week
Number of messages classified as spam: 112
Number classified by my custom spam filters: 101
Number and percentage of spam according to my custom blacklist: 2
Number classified as spam by the Bayesian Learning filter: 0
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 5
Number of spam messages seen, reported to SpamCop & manually deleted: 12

Continue reading "My Spam analysis & filter updates for the week of June 12-19, 2011" »

Posted by Wiz at 2:14 PM | Permalink

back to top ^

About two days ago, on June 15, 2011, I wrote an article on this blog about the re-emergence of the rogue Canadian Pharmacy scam, now using the name: "My Canadian Pharmacy." The pharmacy is a fake, selling counterfeit Asian pills and stealing money from gullible Americans, who are tricked into purchasing fake drugs (without the normally required prescription) and handing over their credit and debit card numbers to criminals, in the process.

Near the end of that article I mentioned BigRock.com, the Accredited Domain Name Registrar on record, who was responsible for providing a connection for that domain, ERGADOYMA dot COM, to the Russian "name servers" inputted into the account, by the owner. The Registrar is a go-between for a domain name and the equipment that provides an IP address that allows them to serve web pages to the World Wide Web. That equipment is referred to as a name server. In the case of the rogue My Canadian Pharmacies, the name servers were Russian (.ru); located in Russia and in China.

The Registrar, BigRock.com, located in Mumbai, India, read my complaint about spamming and illegal activities going on regarding that domain, and looked into the matter. I am happy to announce that they replied to my charges and have terminated the account for ERGADOYMA dot COM, for violating their Terms Of Service, regarding spamming and illicit activity. That domain is now blackholed, to 0.0.0.0 and is no longer responding to requests from spam recipients.

It is almost certain that the cybercriminals who registered that domain name are going to try to find another accredited Registrar with whom they might register their fake pharmacy name again. If or when they do, the domain will resolve to web pages hosted on botted PCs, under the control of the spammers and Bot Masters running this rogue pharmacy.

This victory, for the little guy, may be short lived, but it is significant. My formal complaint and due diligence in my investigation contributed to the takedown of a criminal domain name used to rob and poison gullible people of their money and health. It shows you that one small voice can make a big difference.

If you intend to report spam domains to their hosts or Registrars, make sure you have your facts lined up in an easy to understand outline. Avoid ambiguous words and phrases. Get to the point and provide concrete evidence. Do not assume that the Registrar, or web host, is complicit. In most cases, they are innocent accomplices, duped by seasoned professional cybercriminal spammers and Bot Masters.

NB: I use Trend Micro Internet Security on my PC. It has blocked access to the web pages referred by links to ERGADOYMA dot COM, for a long time. This domain is a known "badware" serving domain, owned by Russian criminals.

Posted by Wiz at 12:01 AM | Permalink

back to top ^

In October 2010, the Russian based criminal enterprise that ran and financed the fraudulent Canadian Pharmacy scams closed their doors, leaving hundreds of affiliate spammers without a payment portal or template system. Well, their baaaaack!

Today my Hotmail account received a spam email claiming to be from "Canadian-Pharmacy." I investigated for a while and my findings are listed below. Before anybody reads any further, suffice it to say that this is a fake/rogue Internet pharmacy, which despite their claims on their web pages, has absolutely no connection to Canada, or to any accreditation bodies mentioned in the spamvertised websites. Everything about this new version of Canadian Pharmacy is a fake as the ones before it.

Let's dissect the new version of this scam, which is now going by the name: "My Canadian Pharmacy" - and reveal the facts that the average Joe might not see, or be aware of.

In a nutshell, what a potential victim of this scam may not know is that the website they land on is not hosted in Canada, but, in this case, in Romania. The page you see is not running on a normal, commercial web server, but on the Russian Nginx web server, popular with Russian cybercriminals. It it surreptitiously installed on compromised PCs, after they have been infected with botnet malware.

The message I receive earlier today had a subject and body text promoting trademarked prescription anti-ED drugs, which if used improperly, without consulting your personal physician, could cause you a lot of medical trouble, or even cause your death. Worse, these drugs are not made in the USA or Canada, but in Asian labs that specialize in counterfeiting American brand name drugs and producing snake oil herbal remedies. At the end of the body text there was a link, with the text: "Click Here Now." Hovering over that link (holding the pointer over it without clicking on it !) revealed the destination URL, which I copied, using the technique described in the next paragraph.

If you left-click (using normal mouse setups) on a link you go directly to that location, or to the location it redirects you to (!). If you right-click instead, you get a flyout list of non-committal options, which you can act upon as desired. By right-clicking while you hover over a hyperlink (in email or on web pages), you will usually get the option to copy the link location. I did this and copied the URL that was concealed under the words "Click Here Now."

Continue reading "Spam for fake Canadian Pharmacy is back, as "My Canadian Pharmacy"" »

Posted by Wiz at 2:24 PM | Permalink

back to top ^

You'd think that with the seemingly unstoppable flow of all types of spam, that it must pay fairly decently. It does, for the upper echelon of professional spammers and their top affiliates. But, not necessarily for the lower ranks or those engaging in spam on their own.

Still, paying (for spammers) or not, the spam flood continues. It seems like an impossible task for us little guys to do anything to stop it. But is it really impossible for individual spam recipients to fight back and stop it? Not in this case!

So begins my story, where this little guy was able to make a big difference against a determined spammer. The spam I'm writing about is not your usual type, although it may have also been delivered to others through more typical means. This type of spam is where domain owners, or hired agents post spam links to the websites they are "spamvertising" - in the access logs of innocent websites. This is known as "log spam." They do this in the hopes that these logs may be published for the World to see, and show up in search results for the spamvertised keywords.

Since I have owned domains I have read my access logs, both to see where traffic comes from, and to catch bad behavior before it gets out of control. During the early to mid 2000's, from about 2002 through 2006, it was very common to see spam comments and links posted to a website's access logs, from remote visitors. These visitors were not usually human, but were often automated scripts written to post spam links in the "REFERER" field (that is how it is misspelled in the Apache Server documentation) of typical web logs. The reason they did this was because many cheaply or freely hosted websites published those access logs as viewable by the public, by default.

Fast forward to 2011 and despite the fact that most websites, like mine, have only privately accessible logs, the people wanting to spamvertise their new, often unfriendly websites will employ every tactic available to them. Thus, the spammer who wanted to promote his two new websites decided to post REFERER spam to my access logs. At first this was just an oddity that caught my eye, as it perused the hundreds of lines of hits to my main site. However, I am not your typical Webmaster and I don't have a typical viewpoint for seeing things, with my trained eyes.

Over a period of two weeks I noticed a repeating pattern of obvious spam links for two domains, coming at a short, predictable interval, from two closely related IP addresses. The IP addresses led to a broadband ISP in Czechoslovakia. The websites they were promoting were hosted by a well known hosting company here, in the USA.

Read my extended comments for the rest of the story.

Continue reading "Sometimes spamming does not pay!" »

Posted by Wiz at 4:01 PM | Permalink

back to top ^

After an increase last week, this week's spam levels have decreased again. This yo-yo effect is possibly due to problems Bot Masters are having maintaining their spam botnets, in the face of strong pressure from Microsoft, the DOJ, FireEye and cooperation from law enforcement authorities in Russia. The various percentages of spam, by category, are listed in my extended comments.

Bot Masters, who send the orders and templates to the zombie spambots (robot agents on infected personal computers), depend on professional or newly recruited spammers to pay to rent the use of their botnets. Competition among botnet owners, dis-infection of botted PCs and interference from authorities tends to drive prices down for some services and up for others. These days, there seems to be more money to be made by renting out botnets for use in denial of service attacks, than for sending e-junk mail.

Despite fluctuations in volumes of junk email, spam is still going strong. It's not just nuisance messages you need to look out for. There are many critical security threats contained in attachments and links to exploit sites, which are designed to infect your computers with malware. Keyloggers, disguised as Flash upgrades, missing codecs, scanned documents, or resumes in attachments, silently log your keystrokes when you log into your online bank, or PayPal, or your website control panel, stealing your credentials, then you money or company secrets. Therefore, effective email protection is required to protect your computers, your money and your data. MailWasher Pro is the program I use to detect and delete spam and email-borne security threats. My spam statistics are obtained from the program, showing how effective it is as a spam fighting tool.

This past 7 days, spam for various types of garbage amounted to 26% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from June 5-12, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam:26%; -3% from last week
Number of messages classified as spam: 98
Number classified by my custom spam filters: 96
Number and percentage of spam according to my custom blacklist: 1
Number classified as spam by the Bayesian Learning filter: 1
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 1
Number of spam messages seen, reported to SpamCop & manually deleted: 7

Continue reading "My Spam analysis & filter updates for the week of June 5-12, 2011" »

Posted by Wiz at 3:09 PM | Permalink

back to top ^

After two weeks in a row of reduced spam volumes, spam levels have increased again, as anticipated. Spam for imitation Viagra lead counterfeit watches by a ~5% margin. This was followed by weight loss scams promoting the illegal sale of the controlled Schedule 4 drug: Phentermine. Spam for various pharmaceuticals and male enhancement scams had lower proportions than usual. I saw a lot of what appears to be French language spam, which I can't read, followed by fake Adobe and Skype upgrade exploit links and work at home scams.

Spam is still with us, along with security threats contained in scams and exploit email links, so, email protection is still needed as it will get worse again (it always ebbs and flows). MailWasher Pro is the program I use to detect and delete spam. My spam statistics are obtained from the program, showing how effective it is as a spam fighting tool.

This past 7 days, spam for various types of garbage amounted to 29% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from May 29 - June 5, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam:29%; +6% from last week
Number of messages classified as spam: 127
Number classified by my custom spam filters: 116
Number and percentage of spam according to my custom blacklist: 4
Number classified as spam by the Bayesian Learning filter: 1
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 5
Number of spam messages seen, reported to SpamCop & manually deleted: 15

Continue reading "My Spam analysis & filter updates for the week of May 29 - June 5, 2011" »

Posted by Wiz at 11:20 PM | Permalink

back to top ^

During the past week I have been receiving, classifying, reporting and deleting scam emails pushing links to fake upgrades for Adobe, Skype and the now defunct LimeWire programs. The bulk of these arrived over the past 24 hours, right up until a short time before I wrote this article. You need to be aware of the nature of these scams and make sure you don't fall for them.

Let's start with the most prevalent of the new scams: the fake Adobe Reader upgrade notices. It starts with the arrival of unexpected email messages spoofing that they were sent from Adobe Support. The subjects contain wording such as: "New Acrobat PDF Reader Has Released !" - followed by either Download or Upgrade Now. While the From field contains a plain text name that includes Adobe Support, or email.adobe.com, in the Prefix, it does not have an Adobe domain in the actual sender's email address. Rather, one may find, as I did, that they are spoofing the sender as an account at "hotels.octopustravel.com."

The message body includes an introduction in all capital letters (as of this writing), claiming: "ADOBE PDF READER UPGRADE NOTIFICATION" - followed by descriptive text copied from the Adobe Reader web pages. The scammers then announce: "contains critical security updates" and provide you with a cleverly worded link that includes the words "adobe", "PDF" and/or "Reader", with dashes between words, ending with the word -download(s) or -upgrade,com. The links are leading to exploit websites in China, hosted on Windows servers at: 122.224.4.113, and possibly other nearby IP addresses.

The related Skype scams purport to come from Skype Support (but not from skype.com) and tell about all of the benefits of upgrading to the newest version of Skype. However, as in the previous Adobe scam, the links end in -download(s).com. Again, this domain is hosted on a Windows IIS web server in China, at 122.224.4.113 (or neighbors).

The latest round to arrive this evening claim to lead to an alternative to the now defunct LimeWire file sharing system. That illegal file sharing service was shut down by US Federal Court action, led by the D.O.J. The new scam claims to offer you free P2P software that allows you to send and receive illegal files with other law breakers and pirates. However, if you download that installer, instead of getting connected to a new file sharing service, you will become botted, with your PC becoming a contributing member of a peer to peer spam botnet. Then your PC will be used to send out messages like these to innocent people whose email addresses have been harvested by spam bots on their friends computers.

I have just finished writing three new filters for MailWasher Pro users, which detect these new software scams and block them (with either automatic or manual deletion). All of my custom spam filters are available in both the old (filters.txt - for up to v 6.5.4) and new (Filters.xml - for MWP 2010 onward) MailWasher formats. If you use MailWasher Pro to filter out spam, before downloading it to your desktop email client, you should take a look at my filters and see if they help reduce your time spent classifying what is good and what is spam email.

My filters are still free to download and use, but I most certainly do appreciate any donations that grateful MailWasher Pro users make, to show their appreciation for my work.

Posted by Wiz at 8:57 PM | Permalink

back to top ^

For two weeks in a row, spam levels have remained lower than usual. Spam for counterfeit watches maintained its lead over imitation Viagra and Cialis, by a ~9% margin. This was followed by the return of weight loss scams, male enhancement scams and various dating and lottery scams and links to .RU domains, all of which had lesser percentages.

The malware in attachments, for botnet installers,reappeared this week, in the form of fake links to Adobe Reader and Skype updates. I pity anybody who was fooled into clicking on those hostile links (they are now botted!). When the botnets lose zombie members from disinfection, their Bot Masters send out new rounds of malware infected attachments and links, to rebuild their armies of spam-bots.

Therefore, spam protection is still needed as it will get worse again (it always ebbs and flows). MailWasher Pro is the program I use to detect and delete spam. My spam statistics are obtained from the program, showing how effective it is as a spam fighting tool.

This past 7 days, spam for various types of garbage amounted to 23% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from May 22 - 29, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam:23%; -1% from last week
Number of messages classified as spam: 114
Number classified by my custom spam filters: 99
Number and percentage of spam according to my custom blacklist: 3
Number classified as spam by the Bayesian Learning filter: 0
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 2
Number of spam messages seen, reported to SpamCop & manually deleted: 17

Continue reading "My Spam analysis & filter updates for the week of May 22 - 29, 2011" »

Posted by Wiz at 3:49 PM | Permalink

back to top ^

Following last week's increase, this week's spam levels have decreased slightly. Spam for counterfeit watches regained the lead over imitation Viagra and Cialis, by a 10% margin. This was followed by male enhancement scams and various dating and lottery scams and links to .RU domains had lesser percentages.

The malware in attachments from the previous week, for botnet installers, failed to reappear this week (so watch out next week!). When the botnets lose zombie members from disinfection, their Bot Masters send out new rounds of malware infected attachments and links, to rebuild their armies of spambots.

Therefore, spam protection is still needed as it will get worse again. MailWasher Pro is the program I use to detect and delete spam. My spam statistics are obtained from the program, showing how effective it is as a spam fighting tool.

This past 7 days, spam for various types of garbage amounted to 24% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from May 15 - 22, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam:24%; -6% from last week
Number of messages classified as spam: 109
Number classified by my custom spam filters: 103
Number and percentage of spam according to my custom blacklist: 1
Number classified as spam by the Bayesian Learning filter: 0
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 5
Number of spam messages seen, reported to SpamCop & manually deleted: 16

Continue reading "My Spam analysis & filter updates for the week of May 15 - 22, 2011" »

Posted by Wiz at 4:52 PM | Permalink

back to top ^

2011 is fast becoming one of the most dangerous years in recent memory. Bad things are happening in both the physical and cyber worlds, in which we live and conduct our daily affairs. Bad actors are reeking havoc on innocent people, almost everywhere. Cyber-criminals are exceedingly good at scamming and harming Netizens, wherever they may live.

That preamble leads me into the matter that is on my mind, which I want you to save in your minds also. Cyber-crime is big business. The puppet masters pulling the strings, controlling the botnets that send out spam, scams and launch DDoS attacks, are hardened criminals, not hackers looking for notoriety. They have invested a lot of money in paying programmers to write malware codes, botnet installers, banking Trojans, and in Command & Control Server hosting fees, and often, in paying bribes to local police, to avoid being arrested if identified.

The goal of all of the bot masters is to get their remote control malware installed on as many computers as possible, turning them into spam sending zombies. Then, they lease out the use of these botnets to spammers. Spammers have levels also. There are master spammers and affiliate spammers. The Master Spammers produce the spam templates, arrange for the questionable and illicit products to be sold from shady companies, maintain the affiliate payment systems and supply target email databases.

Affiliate spammers buy into spam operations at a lower level and use their money to drive sales to the websites where the fake, or counterfeit goods are being sold. They are responsible for maintaining the current spam sub-culture. Without the army of paying affiliates, the Master Spammers would have to do all of the spamvertising themselves; like in the old days. That would make them much larger targets than they are now.

Since it is the affiliates who actually drive the spam business, let's consider some of their recent tricks used to relieve you of your hard earned money.

Continue reading "Spam, scams and new Facebook threats you should watch out for" »

Posted by Wiz at 11:24 AM | Permalink

back to top ^

Following last week's decrease, this week's spam levels have increased slightly. Spam for counterfeit Viagra finally surpassed spam for counterfeit watches, by a small 3% margin. This was followed by male enhancement scams and various illegal to import prescription drugs. Various scams and malware in attachments had lesser percentages.

The malware in attachments last week was for botnet installers. When the botnets lose zombie members from disinfection, they send out new rounds of malware infected attachments and links, to rebuild their armies of spambots.

Therefore, spam protection is still needed as it will get worse again. MailWasher Pro is the program I use to detect and delete spam. My spam statistics are obtained from the program, showing how effective it is as a spam fighting tool.

This past 7 days, spam for various types of garbage amounted to 30% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from May 8 - 15, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam:30%; +3% from last week
Number of messages classified as spam: 135
Number classified by my custom spam filters: 125
Number and percentage of spam according to my custom blacklist: 4
Number classified as spam by the Bayesian Learning filter: 0
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 2
Number of spam messages seen, reported to SpamCop & manually deleted: 10

Continue reading "My Spam analysis & filter updates for the week of May 8 - 15, 2011" »

Posted by Wiz at 11:31 PM | Permalink

back to top ^

Following last week's increase, this week's spam levels have decreased measurably. Spam for counterfeit Viagra finally surpassed spam for counterfeit watches, by a huge 16% margin. This was followed by male enhancement scams and various illegal to import prescription drugs . Various scams and pirated software had lesser percentages.

The reduction in last week's spam levels might have been due to spammers holding back, or Bot Masters laying low, to try to avoid the authorities who are trying to track them down and shutter their operations. When the botnets lose zombie members from disinfection, they send out new rounds of malware infected attachments and links, to rebuild their armies of spambots.

Therefore, spam protection is still needed as it will get worse again. MailWasher Pro is the program I use to detect and delete spam. My spam statistics are obtained from the program, showing how effective it is as a spam fighting tool.

This past 7 days, spam for various types of garbage amounted to 27% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from May 1 - 8, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam: 27%; -7% from last week
Number of messages classified as spam: 117
Number classified by my custom spam filters: 108
Number and percentage of spam according to my custom blacklist: 3
Number classified as spam by the Bayesian Learning filter: 1
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 5
Number of spam messages seen, reported to SpamCop & manually deleted: 17

Continue reading "My Spam analysis & filter updates for the week of May 2 - 8, 2011" »

Posted by Wiz at 2:24 PM | Permalink

back to top ^

Following three weeks with little change in my level of spam, this week's levels have increased slightly. Spam for counterfeit watches led the pack by a 7% margin. This was followed by various illicit pharmaceuticals, counterfeit Viagra-Cialis, and male enhancement scams. Various scams and malware in attachments had lesser percentages.

Spammers depend on the cheap use of millions of infected PCs that have been involuntarily made zombies in spam botnets. As authorities shutdown one botnet another rises to claim their share of the spam pie. As the number of infected machines declines, due to the owners being made aware of their problem and disinfecting their computers, the bot herders use whatever means is available to them to regain zombies in their herds. Sending fake delivery notices with bot installers is one of the favorites of malware distributors.

You still need spam protection and it is showing signs of getting worse again. MailWasher Pro is the program I use to detect and delete spam. My spam statistics are obtained from the program, showing how effective it is as a spam fighting tool.

This past 7 days, spam for various types of garbage amounted to 34% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from Apr 25 - May 1, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam: 34%; +3% from last week
Number of messages classified as spam: 175
Number classified by my custom spam filters: 165
Number and percentage of spam according to my custom blacklist: 5
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 5
Number of spam messages seen, reported to SpamCop & manually deleted: 10

The order of spam categories, according to the highest percentages, is as follows:

Counterfeit Watches: 29.71%
Pharmaceuticals and illegal prescription drugs: 22.86%
Fake Viagra and Cialis: 19.43%
Male Enhancement scams: 14.29%
Pills filter: 2.86%
DNS Blacklist Servers: 2.86%
My Blacklist: 2.86%
BR, CN, or RU Domains in spam links: 1.71%
Known Spam Subjects: 1.14%
Other Filters (with small percentages): 0.57%
Russian Bride Scams: 0.57%
Subject Contains E-mail Address: 0.57%
LACNIC Senders (South America): 0.57%

This week I made 3 updates and/or additions to my custom filters:
Image Spam #11
Known Spam [From]
Dating spam updated and split into two filters: [Subject] and [Body]


There was one false positive last week, which led to me adjusting the Watches filter. All other filters behaved as intended. Note, that I now publish three types of spam filters for MailWasher Pro. One type is for the latest 2011 series, in xml format, and two are for the previous series 6.x. One of those filters is set for manual deletions and the other for automatic deletions. You can read all about MailWasher Pro and the filters I write for it, on my MailWasher Pro Custom Filters page.

Posted by Wiz at 3:51 PM | Permalink

back to top ^

Following two weeks with no change in my level of spam, this week's levels have declined significantly. Spam for counterfeit watches led the pack by a 10% margin. This was followed by counterfeit Viagra-Cialis, various illicit pharmaceuticals, and male enhancement scams. The Nigerian 419 scammers and Russian bride scams had a measurable percentage this past week.

Spammers depend on the cheap use of millions of infected PCs that have been involuntarily made zombies in spam botnets. As authorities shutdown one botnet another rises to claim their share of the spam pie. As the number of infected machines declines, due to the owners being made aware of their problem and disinfecting their computers, the bot herders use whatever means is available to them to regain zombies in their herds. Sending fake delivery notices with bot installers is one of the favorites of malware distributors.

You still need spam protection and it is showing signs of getting worse again. MailWasher Pro is the program I use to detect and delete spam. My spam statistics are obtained from the program, showing how effective it is as a spam fighting tool.

This past 7 days, spam for various types of garbage amounted to 31% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from April 18 - 24, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam: 31%; -10% from last week
Number of messages classified as spam: 166
Number classified by my custom spam filters: 152
Number and percentage of spam according to my custom blacklist: 0
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 2
Number of spam messages seen, reported to SpamCop & manually deleted: 9

The order of spam categories, according to the highest percentages, is as follows:

Counterfeit Watches: 36.36%
Fake Viagra and Cialis: 26.62%
Pharmaceuticals and illegal prescription drugs: 14.29%
Male Enhancement scams: 10.39%
Pills filter: 3.25%
Nigerian 419 scams: 2.60%
DNS Blacklist Servers: 1.30%
Subject All Caps (mostly 419 scams): 1.30%
Other Filters (with small percentages): 1.30%
Russian Bride Scams: 1.30%
Subject Contains E-mail Address: 0.65%
LACNIC Senders (South America): 0.65%

This week I made 3 updates and/or additions to my custom filters:
Viagra Spam [S]
Misspelled Viagra [S]
Replica Watches


There was one false positive last week, which led to me adjusting the Watches filter. All other filters behaved as intended. Note, that I now publish three types of spam filters for MailWasher Pro. One type is for the latest 2011 series, in xml format, and two are for the previous series 6.x. One of those filters is set for manual deletions and the other for automatic deletions. You can read all about MailWasher Pro and the filters I write for it, on my MailWasher Pro Custom Filters page.

Posted by Wiz at 11:44 PM | Permalink

back to top ^

Following last week's increase in spam, this week's levels remained the same. Spam for counterfeit watches led the pack by a 7% margin. This was followed by male enhancement scams and various illicit pharmaceuticals. The Nigerian 419 scammers were back at work this week, accounting for a little over 2% of my incoming spam.

Spammers depend on the cheap use of millions of infected PCs that have been involuntarily made zombies in spam botnets. As authorities shutdown one botnet another rises to claim their share of the spam pie. As the number of infected machines declines, due to the owners being made aware of their problem and disinfecting their computers, the bot herders use whatever means is available to them to regain zombies in their herds. Sending fake delivery notices with bot installers is one of the favorites of malware distributors.

You still need spam protection and it is showing signs of getting worse again. MailWasher Pro is the program I use to detect and delete spam. My spam statistics are obtained from the program, showing how effective it is as a spam fighting tool.

This past 7 days, spam for various types of garbage amounted to 41% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from April 11 - 17, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam: 41%; no change from last week
Number of messages classified as spam: 219
Number classified by my custom spam filters: 203
Number and percentage of spam according to my custom blacklist: 8
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 1
Number of spam messages seen, reported to SpamCop & manually deleted: 10

The order of spam categories, according to the highest percentages, is as follows:

Counterfeit Watches: 28.77%
Male Enhancement scams: 21.23%
Pharmaceuticals and illegal prescription drugs: 14.62%
Pills filter: 14.62%
Fake Viagra and Cialis: 7.55%
(.BR, .CN, or) .RU domain links: 3.77%
Blacklisted senders (my list): 3.77%
Other Filters (with small percentages): 1.42%
African Senders (usually 419 scams): 1.42%
Nigerian 419 scams: 0.94%
Known Spam [From]: 0.94%
Re: [digits] spam filter: 0.47%
DNS Blacklist Servers: 0.47%

This week I made 6 updates and/or additions to my custom filters:
E-Card Scam,
Nigerian 419 Scam #3 [S, F, R] (2x),
Re [digits] Spammer (2x),
Viagra Spam [B]


There were no false positives last week. All filters behaved as intended. Note, that I now publish three types of spam filters for MailWasher Pro. One type is for the latest 2011 series, in xml format, and two are for the previous series 6.x. One of those filters is set for manual deletions and the other for automatic deletions. You can read all about MailWasher Pro and the filters I write for it, on my MailWasher Pro Custom Filters page.

Posted by Wiz at 2:50 PM | Permalink

back to top ^

Why you need to implement an anti-spam filter

Spam is defined as unwanted communication sent in bulk to multiple recipients and, most often, with some commercial or fraudulent purpose in mind. Spam most commonly reaches your network through the inbox.

While it is just an annoyance for the home user, an organization that doesn't have some form of anti-spam filter will quickly become inundated with unwanted electronic communication. This does not only clog up email inboxes, it also poses a security threat to both the employees and the company they work for.

The need to manage and control spam

Among the reasons to employ an anti-spam filter within the organization are:

1. Productivity - Time is money, and when employees are required to filter out junk email manually, this affects their level of productivity and increases the risk that genuine email may be lost in the process. Without an effective anti-spam filter, the amount of unsolicited email they are dealing with could be high.
2. Malicious Software - The possibility of malware infection should not be underestimated either. Many spam emails come with malicious payloads or poisoned links to infected websites and the last thing your organization needs is a malware infection - Trojans, keyloggers are among the nasty things circulating in email. The risk that malware picked up from spam email could cause problems on the company network, leading to data corruption and/or data loss, should be a good enough reason to deploy an anti-spam filter.
3. Fraud - This is another strong issue with spam as some unwanted email messages will attempt to phish personal or private information about you, other employees or you're the organization itself. Not only can this result in data loss and confidential data leaks, but it may also lead to company credit card fraud and the like.

Choosing the right anti spam-filter

Before investing in an anti-spam filter, it is good to know what's available so as to be sure your organization is benefiting from the latest anti-spam technologies. Below are some of the anti-spam filter solutions you might want to consider:

1. Hosted anti-spam - A hosted anti-spam filter offers several benefits, such as saving bandwidth due to spam mail never even being delivered to the organization's network. There is also no need to purchase server hardware or pay for software licenses or support as these will be included in the monthly plan. Hosted anti-spam filters also offer scalability and compatibility with different operating systems.
2. On-premise anti-spam - Some of the most popular anti-spam filtering products are server-based. Such a solution will often be found on the same hardware as the email server and its main advantage is the level of control it gives your organization in terms of configurability and integration with your email server.

Reclaim your inbox

Spam is inevitable, and organizations should understand that not doing anything about the problem will affect the server's performance, impact on employee productivity, as well as expose the business to some serious security threats. This can be prevented through user education on what spam is and how to identify it, not responding to or opening links in spam emails and, most importantly, using a robust anti-spam filter.

This guest post was provided by Lee Munson on behalf of GFI Software, a leading software developer that produces network and messaging security solutions for SMBs. More information about GFI anti-spam solution can be found at http://www.gfi.com/mes

Posted by Wiz at 3:17 PM | Permalink

back to top ^

Following last week's slight drop in spam, this week's levels increased by 6% (of my incoming email). Spam for counterfeit watches led the pack by a 19% margin. This was followed by pharmaceuticals of the usual type. Also, there was a noticeable barrage of malware infected spam claiming to come from Express Services and Postal Express. I hope that none of my readers were curious enough to open one of the attachments from these fake courier scams. If you did, your PC is now probably a member of a botnet.

Spammers depend on the cheap use of millions of infected PCs that have been involuntarily made zombies in spam botnets. As authorities shutdown one botnet another rises to claim their share of the spam pie. As the number of infected machines declines, due to the owners being made aware of their problem and disinfecting their computers, the bot herders use whatever means is available to them to regain zombies in their herds. Sending fake delivery notices with bot installers is one of the favorites of malware distributors.

You still need spam protection and it is showing signs of getting worse again. MailWasher Pro is the program I use to detect and delete spam. My spam statistics are obtained from the program, showing how effective it is as a spam fighting tool.

This past 7 days, spam for various types of garbage amounted to 41% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from April 4 - 10, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam: 41%; up 6% from last week
Number of messages classified as spam: 270
Number classified by my custom spam filters: 256
Number and percentage of spam according to my custom blacklist: 0
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 1
Number of spam messages seen, reported to SpamCop & manually deleted: 24

The order of spam categories, according to the highest percentages, is as follows:

Counterfeit Watches: 28.4%
Pharmaceuticals and illegal prescription drugs: 19.07%
Male Enhancement scams: 15.562%
(.BR, .CN, or) .RU domain links: 14.79%
Courier Spam (botnet Trojans in attachments): 6.23%
Fake Viagra and Cialis: 3.89%
Weight Loss Scams: 3.89%
Other Filters (with small percentages): 2.33%
Pills: 2.33%
Counterfeit Goods (bags, jewelry): 1.95%
Russian Bride Scam: 1.17%
DNS Blacklist Servers: 0.39%

This week I made 3 updates and/or additions to my custom filters:
Courier Scam #7 (2x),
Weight Loss Drugs


There were no false positives last week. All filters behaved as intended. Note, that I now publish three types of spam filters for MailWasher Pro. One type is for the latest 2011 series, in xml format, and two are for the previous series 6.x. One of those filters is set for manual deletions and the other for automatic deletions. You can read all about MailWasher Pro and the filters I write for it, on my MailWasher Pro Custom Filters page.

Posted by Wiz at 4:54 PM | Permalink

back to top ^

Following last week's big increase in spam, this week's levels dropped slightly, by 3% (of my incoming email). I know that the various honeypot bean counters say that spam is down by between 30 and 40 percent, following the takedown of the Rustock Botnet, but that's not what my statistics reveal. Spam for counterfeit watches led the pack by a ~17% margin.

You still need spam protection and it is showing signs of getting worse again. MailWasher Pro is the program I use to detect and delete spam. My spam statistics are obtained from the program, showing how effective it is as a spam fighting tool.

This past 7 days, spam for various types of garbage amounted to 35% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from March 28 - April 3, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam: 35%; down 3% from last week
Number of messages classified as spam: 183
Number classified by my custom spam filters: 172
Number and percentage of spam according to my custom blacklist: 1
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 1
Number of spam messages seen, reported to SpamCop & manually deleted: 25

The order of spam categories, according to the highest percentages, is as follows:

Counterfeit Watches: 37.93%
Pharmaceuticals and illegal prescription drugs: 20.69%
Male Enhancement scams: 8.62%
Other Filters (with small percentages): 7.47%
Pills: 5.75%
Fake Viagra and Cialis: 4.60%
Counterfeit Goods (bags, jewelry): 4.60%
.BR, .CN, or .RU domain links: 3.45%
Courier Spam (malware in attachments): 2.87%
African Sender: 1.72%
PDF Attachment: 1.15%
Blacklisted sender names and domains (my blacklist): 0.57%
DNS Blacklist Servers: 0.57%

This week I made 8 updates and/or additions to my custom filters:
Courier Scam #7 (2x),
Diploma Spam,
Lottery Scam,
Post Express (2x),
Work At Home Scam.
New filter: Known Spam Subjects #4


There were no false positives last week. All filters behaved as intended. Note, that I now publish three types of spam filters for MailWasher Pro. One type is for the latest 2011 series, in xml format, and two are for the previous series 6.x. One of those filters is set for manual deletions and the other for automatic deletions. You can read all about MailWasher Pro and the filters I write for it, on my MailWasher Pro Custom Filters page.

Posted by Wiz at 2:39 PM | Permalink

back to top ^

Following last week's big decline in spam, due to the sudden takedown of the Rustock botnet, other botnet operators have taken up the slack, bring spam levels back up to 38% of my incoming email. This week the majority of spam was for counterfeit name brand watches, followed by pharmaceuticals, male enhancement and fake Viagra.

This past 7 days, spam for various types of garbage amounted to 38% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from Mar 21 - 27, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam: 38%; up 10% from last week
Number of messages classified as spam: 214
Number classified by my custom spam filters: 175
Number and percentage of spam according to my custom blacklist: 10
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 1
Number of spam messages seen, reported to SpamCop & manually deleted: 10

The order of spam categories, according to the highest percentages, is as follows:

Counterfeit Watches: 33.33%
Pharmaceuticals and illegal prescription drugs: 22.58%
Male Enhancement scams: 13.44%
Fake Viagra and Cialis: 11.83%
Blacklisted sender names and domains (my blacklist): 5.38%
Other Filters (with small percentages): 4.30%
African Sender: 2.15%
.BR, .CN, or .RU domain links: 1.61%
Subject contains e-mail address: 1.61%
Work At Home Scams: 1.08%
419 scams: 1.08%
Loans/Bankruptcy scams: 1.08%
DNS Blacklist Servers: 0.54%

This week I made 6 updates and/or additions to my custom filters:
Known Spam Domains
Watches Spam
Work At Home Scam
New filter: Courier Scam #7
New filter: .BR, .CN, .RU Domain Link
Re-enabled Weight Loss filter.


There was one false positive last week, resulting in my creating a new filter to detect .RU domains in the message body. All other filters behaved as intended. Note, that I now publish three types of spam filters for MailWasher Pro. One type is for the latest 2011 series, in xml format, and two are for the previous series 6.x. One of those filters is set for manual deletions and the other for automatic deletions. You can read all about MailWasher Pro and the filters I write for it, on my MailWasher Pro Custom Filters page.

Posted by Wiz at 4:10 PM | Permalink

back to top ^

After briefly rising last week, spam levels have fallen again, following this week's takedown of the Rustock spam botnet's command and control servers, by Microsoft, Pfizer, Fire-eye and the US Marshall's Service. My statistics reveal a 7% decrease from the previous week. Prior to the shutdown of those servers, Rustock was responsible for over 40% of the world-wide spam.

Immediately following Rustock's takedown, on March 16, there was a big drop in spam. However, other botnets quickly rented out their services to spammers, so the amount of spam rebounded over the last few days to regain several percentage points. You can look for those botnets to become the next targets of Microsoft, Pfizer and other anti-spam agencies.

Pfizer was involved because so much spam is for counterfeit Viagra, which is a trademarked and controlled drug manufactured and distributed by Pfizer and it's legitimate partners. They do not license Russian, Indian, or Chinese based Internet pharmacies to make or distribute Viagra, or to use the trademarked name of the company or the drug. Anybody offering to sell Viagra (real or counterfeit) to US residents, without a valid prescription issued by a real US based and licensed doctor, after an actual physical examination, is violating US Federal law. Anybody attempting to purchase Viagra, or other controlled prescription drugs, from an Internet pharmacy located outside the USA, or any Internet pharmacy that sells pharmaceuticals that are not manufactured or licensed for sale in the USA, is guilty of violating US laws regulating the purchase of controlled substances. Those purchases are subject to seizure by US Customs and smuggling charges can be filed by Federal authorities.

This past 7 days, spam for various types of garbage amounted to 28% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from Mar 14 - 20, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam: 28%; down 7% from last week
Number of messages classified as spam: 124
Number classified by my custom spam filters: 120
Number and percentage of spam according to my custom blacklist: 1
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 2
Number of spam messages seen, reported to SpamCop & manually deleted: 11

The order of spam categories, according to the highest percentages, is as follows:

Counterfeit Watches: 28.46%
Pharmaceuticals and illegal prescription drugs: 26.02%
Fake Viagra and Cialis: 15.45%
Other Filters (with small percentages): 7.32%
Male Enhancement scams: 4.88%
Known Spam Domains in links (usually Russian: .RU): 4.07%
Work At Home Scams: 3.25%
Subject contains e-mail address: 2.44%
Twitter Phishing Scam: 2.44%
419 scams:1.63%
DNS Blacklist Servers: 1.63%
Russian Sender: 1.63%
Blacklisted sender names and domains (my blacklist): 0.81%

This week I made 7 updates to my custom filters:
Consecutive digits or consonants,
Diploma Spam,
Russian Bride Scam,
Russian Sender,
Work At Home Scam.
New filters: Courier Scam #6 and Post Express Scam.
Disabled 28 out-dated filters.


There was one false positives last week. All filters behaved as intended. Note, that I now publish three types of spam filters for MailWasher Pro. One type is for the latest 2011 series, in xml format, and two are for the previous series 6.x. One of those filters is set for manual deletions and the other for automatic deletions. You can read all about MailWasher Pro and the filters I write for it, on my MailWasher Pro Custom Filters page.

Posted by Wiz at 1:06 PM | Permalink

back to top ^

For the second week in a row, spam levels have risen again. My statistics reveal a 2% increase from the previous week. The most recent spam runs have been for illegal to import, dangerous prescription drugs, followed by fake brand name watches, then Asian Viagra, male enhancement scams, various African 419 lottery scams and a new DHL courier scam carrying a the SpyEye Trojan in an attachment.

This past 7 days, spam for various types of garbage amounted to 35% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from Mar 7 - 13, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam: 35%; up 2% from last week
Number of messages classified as spam: 212
Number classified by my custom spam filters: 190
Number and percentage of spam according to my custom blacklist: 4
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 1
Number of spam messages seen, reported to SpamCop & manually deleted: 36

The order of spam categories, according to the highest percentages, is as follows:

Pharmaceuticals and illegal prescription drugs: 21.03%
Counterfeit Watches: 21.03%
Fake Viagra and Cialis: 17.95%
Male Enhancement scams: 10.77%
Other Filters (with small percentages): 9.74%
Lottery Scams: 5.13%
Known Spam Domains in links (usually Russian: .RU): 3.59%
Blacklisted sender names and domains (my blacklist): 2.05%
African Sender (419 scams): 2.05%
SUBJECT ALL CAPS (mostly Nigerian scams): 2.05%
LACNIC (South American) spam sender: 2.05%
Known Spam [From]: 2.05%
DNS Blacklist Servers: 0.51%

This week I made 4 updates to my custom filters:
Known Spam [From],
Misspelled Viagra,
Pics Spam,
Russian Bride Scam


There were no false positives last week. All filters behaved as intended. Note, that I now publish three types of spam filters for MailWasher Pro. One type is for the latest 2011 series, in xml format, and two are for the previous series 6.x. One of those filters is set for manual deletions and the other for automatic deletions. You can read all about MailWasher Pro and the filters I write for it, on my MailWasher Pro Custom Filters page.

Posted by Wiz at 3:20 PM | Permalink

back to top ^

After decreasing sharply last week, spam levels have begun to rise again. My statistics reveal a 9% increase from the previous week. The most recent spam runs have been for illegal to import, dangerous prescription drugs, fake brand name watches and various African 419 scams.

This past 7 days, spam for various types of garbage amounted to 33% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I often see the same spam message sent to several of my accounts at the same time. I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from Feb 28 - Mar 6, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam: 33%; up 9% from last week
Number of messages classified as spam: 164
Number classified by my custom spam filters: 146
Number and percentage of spam according to my custom blacklist: 10
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 2
Number of spam messages seen, reported to SpamCop & manually deleted: 13

The order of spam categories, according to the highest percentages, is as follows:

Pharmaceuticals and illegal prescription drugs: 40.51%
Counterfeit Watches: 13.92%
Known Spam Domains in links (usually Russian: .RU): 13.29%
Fake Viagra and Cialis: 10.13%
Blacklisted sender names and domains (my blacklist): 6.33%
Male Enhancement scams: 3.80%
Other Filters (with small percentages): 3.16%
Pics (Russian Bride) scam: 2.53%
Dating scams: 1.27%
Nigerian 419 scams: 1.27%
SUBJECT ALL CAPS: 1.27%
LACNIC (South American) spam sender: 1.27%
DNS Blacklist Servers: 1.27%

I made just 1 update to my custom filters:
"Pics" Scam (Russian Brides)


There were no false positives last week. All filters behaved as intended. Note, that I now publish three types of spam filters for MailWasher Pro. One type is for the latest 2011 series, in xml format, and two are for the previous series 6.x. One of those filters is set for manual deletions and the other for automatic deletions (which I refer to as my Judge Dredd, murder, death, kill rules!). You can read all about MailWasher Pro and the filters I write for it, on my MailWasher Pro Custom Filters page.

Posted by Wiz at 2:33 PM | Permalink

back to top ^

After increasing slightly last week, my incoming volume of spam has decreased significantly. However, botnets are still spewing out email spam for fake Viagra, counterfeit watches, fake and illegal to import Russian prescription drugs, Nigerian lottery/419 scams, pirated software and work at home kit scams.

This past 7 days, spam for various types of garbage amounted to 24% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I often see the same spam message sent to several of my accounts at the same time. I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from Feb 14 - 20, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Percentage classified as spam: 24%; down 10% from last week
Number of messages classified as spam: 106 
Number classified by my custom spam filters: 97
Number and percentage of spam according to my custom blacklist: 8
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 1
Number of spam messages seen, reported to SpamCop & manually deleted: 18

Pharmaceuticals and fake prescription drugs: 25.47%
Fake Viagra and Cialis: 15.09%
Counterfeit Watches: 12.26%
Blacklisted sender names and domains (my blacklist): 7.55%
Work At Home Scam: 6.60%
Known Spam Domains in links (usually Russian: .RU): 5.66%
Male Enhancement scams: 5.66%
Other Filters (with small percentages): 5.66%
Diploma Spam: 4.72%
Counterfeit Goods: 3.77%
URL Shortener spam links (t.co, etc): 3.77%
Lottery Scam: 2.83%
DNS Blacklist Servers: 0.94%

I made these 2 additions/updates to my custom filters:
Counterfeit Goods
Work At Home Scam

I made 0 changes to my custom Blacklist:

See my extended content for more details about protecting your computers from the threats posed by email spam.

Continue reading "My Spam analysis & filter updates for the week of Feb 21 - 27, 2011" »

Posted by Wiz at 4:37 PM | Permalink

back to top ^

After declining for two weeks in a row, my incoming volume of spam has increased slightly. Botnets are still spewing out email spam for fake Viagra, counterfeit watches, fake and illegal to import prescription drugs, Nigerian lottery/419 scams and work at home kit scams.

This past 7 days, spam for various types of garbage amounted to 34% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I often see the same spam message sent to several of my accounts at the same time. I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from Feb 14 - 20, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Percentage classified as spam: 34%; up 4% from last week
Number of messages classified as spam: 196 
Number classified by my custom spam filters: 168
Number and percentage of spam according to my custom blacklist: 10
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 1
Number of spam messages seen, reported to SpamCop & manually deleted: 39

Pharmaceuticals and fake prescription drugs: 31.84%
Other Filters (with small percentages): 12.29%
Fake Viagra and Cialis: 12.29%
Counterfeit Watches: 9.50%
Known Spam Domains in links (usually Russian: .RU): 7.82%
Blacklisted sender names and domains (my blacklist): 5.59%
Image Spam: 5.03%
Pills Spam: 4.47%
Male Enhancement scams: 2.79%
Pirated Software: 2.79%
Work At Home Scam: 2.79%
Subject is All Capital Letters: 2.23%
DNS Blacklist Servers: 0.562%

I made these 7 additions/updates to my custom filters:
APNIC (Asia-Pacific),
Image Spam #11,
Known Spam Domains,
Nigerian 419 Scam #3 [S, F, R],
Pills,
Work At Home Scam (2x)

I made 0 changes to my custom Blacklist:

See my extended content for more details about protecting your computers from the threats posed by email spam.

Continue reading "My Spam analysis & filter updates for the week of Feb 14 - 20, 2011" »

Posted by Wiz at 11:33 PM | Permalink

back to top ^

Every weekend I write an article about my spam analysis for that week. This often includes details about phishing scams that target individuals and company employees, for the purpose of stealing your identity, logins and passwords to important web sites, private or company information, or trade secrets.

The following is a guest article sent to me by GFI Software, a leading software developer that produces network and email/messaging security solutions for SMEs. GFI is also the owner of Vipre Antivirus. This article deals with protecting your employees from falling victim to phishing scams that arrive via email.

Data, the lifeblood of every organization, is also a magnet for phishing emails and other social engineering scams. Phishing scams come in a variety of flavors but predominately are pushed through email or, recently on the increase, through social networking sites and Instant Messaging. In essence these carefully crafted emails, appearing totally legitimate, aim to trick unsuspecting employees in giving up personal or financial information which the phisher, in turn, uses to commit fraud and for personal gain.

Understanding how to identify phishing emails and scams is important because it will lead to better management of the problem and afford better protection for your network and data (before your employees thoughtlessly click on them). Below are some points to keep in mind:

1. Do not trust emails with urgent requests for personal or financial information. Such emails are often near-genuine messages from banks, credit agencies, official government bodies and online vendor or payment sites. They also tend to come with a lot of dire 'warnings' -deliberately attempting to scare the recipients and force them to click on links and give out details before they have time to properly assess the veracity of the claim. Keep in mind that the legitimate senders usually rely on other means to contact you, rather than through email. If you have any doubts about the content in, or the sender of, the email, pick up the phone and speak to them directly. Better safe than sorry.


2. Look out for misspelled URLs and incorrect English - A classic in phishing emails. They are great in tricking people but they are not always drafted by good writers. The content is usually peppered with grammatical areas. Phishers also make subtle changes to the spelling of website URL, for example: http://www.christinsblog.com instead of http://www.christinasblog.com. Look out for these errors.


3. When receiving an email which addresses you as 'Dear customer', rather than by your first and/or last name, it is probably a scam.


4. Look out for keywords, such as: 'verify your account' or 'verify your ID' - these are usually found in phishing emails.


5. Always be suspicious of emails which ask you to click on links. Unless you are sure that the sender is legitimate, never click on links in emails.

Continue reading "How to protect your company's employees from phishing attacks" »

Posted by Wiz at 2:56 PM | Permalink

back to top ^

Something is up with the spam botnets. For the 2nd week in a row my incoming volume of spam has decreased. However, the remaining active botnets are still spewing out email spam for fake Viagra, counterfeit watches, fake and illegal to import prescription drugs, pump and dump stocks, Nigerian lottery/419 scams and work at home kit scams.

This past 7 days, spam for various types of garbage amounted to 30% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I often see the same spam message sent to several of my accounts at the same time. I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from Feb 7 - 13, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Percentage classified as spam: 30%; down 5% from last week
Number of messages classified as spam: 138 
Number classified by my custom spam filters: 129
Number and percentage of spam according to my custom blacklist: 3
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 0
Number of spam messages seen, reported to SpamCop & manually deleted: 17

Pharmaceuticals and fake prescription drugs: 30.30%
Fake Viagra and Cialis: 25.00%
Counterfeit Watches: 20.45%
Known Spam Domains in links (usually Russian: .RU): 5.30%
Work At Home Scam: 4.55%
Nigerian 419 Scams: 3.04%
Lottery Scams: 3.03%
Other Filters (with small percentages): 3.03%
Blacklisted sender names and domains (my blacklist): 2.27%
Pump and Dump stock spam: 1.52%
URL Shortener Links to spam: 1.52%

I made 10 additions/updates to my custom filters:
Canadian Pharmacy,
E-Card Scam,
Known Spam Subjects #2,
Nigerian 419 Scam #3 [S, F, R],
Pump & Dump Scam (2x),
Watches Spam,
Work At Home Scam (3x)

I made 0 changes to my custom Blacklist:

See my extended content for more details about protecting your computers from the threats posed by email spam.

Continue reading "My Spam analysis & filter updates for the week of Feb 7 - 13, 2011" »

Posted by Wiz at 3:46 PM | Permalink

back to top ^

After three weeks of increases, my incoming volume of spam has decreased, this time by a whopping 14%. Still, Botnets are still spewing out email spam for fake Cialis and Viagra, counterfeit watches, bogus male enlargement herbs and pills, illegal to import prescription drugs, pirated software, dating scams and work at home (Money Mule - criminal money laundering) scams.

This past 7 days, spam for various types of garbage amounted to 35% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I often see the same spam message sent to several of my accounts at the same time. I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from Jan 31 - Feb 6, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Percentage classified as spam: 35%; down 14% from last week
Number of messages classified as spam: 166 
Number classified by my custom spam filters: 148
Number and percentage of spam according to my custom blacklist: 14
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 0
Number of spam messages seen, reported to SpamCop & manually deleted: 10

Pharmaceuticals and fake prescription drugs: 26.54%
Counterfeit Watches: 19.14%
Fake Viagra and Cialis: 16.05%
Known Spam Domains in links (usually Russian: .RU): 13.58%
Blacklisted sender names and domains (my blacklist): 8.64%
Male Enhancement scam: 3.09%
Other Filters (with small percentages): 3.09%
Pills spam: 3.09%
Dating spam: 2.47%
Software Spam: 1.85%
URL Shortener Links to spam: 1.87%
Work At Home Scam: 1.23%

I made 4 additions/updates to my custom filters:
Diploma Spam (now using HTML positioning tricks and salad words),
Known Spam Domains,
Unlicensed Prescription Drugs,
Work At Home Scam (money mule scams)

I made 0 changes to my custom Blacklist:

See my extended content for more details about protecting your computers from the threats posed by email spam.

Continue reading "My Spam analysis & filter updates for the week of Jan 31 - Feb 6, 2011" »

Posted by Wiz at 4:07 PM | Permalink

back to top ^

For the third week in a row, the volume has increased again. Botnets are again spewing out email spam for fake Cialis and Viagra, counterfeit watches, bogus male enlargement herbs and pills, illegal to import prescription drugs, pirated software, Russian brides and Work at home (Money Mule - criminal money laundering) scams.

This past 7 days, spam for various types of garbage amounted to 49% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I often see the same spam message sent to several of my accounts at the same time. I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from Jan 24-30, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Percentage classified as spam: 49%; up 3% from last week
Number of messages classified as spam: 328 
Number classified by my custom spam filters: 279
Number and percentage of spam according to my custom blacklist: 39
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 3
Number of spam messages seen, reported to SpamCop & manually deleted: 20

Pharmaceuticals and fake prescription drugs: 21.50%
Fake Viagra and Cialis: 17.13%
Counterfeit Watches: 16.82%
Known Spam Domains in links (usually Russian: .RU): 15.58%
Blacklisted sender names and domains (my blacklist): 12.15%
Male Enhancement scam: 4.67%
Russian Bride scam: 4.36%
Re: (digits): 1.87%
Other Filters (with small percentages): 1.87%
Software Spam: 1.25%
Work At Home Scam: 1.25%
DNS Blacklisted Senders: 0.93%
Lottery Scam: 0.62%

I made 9 additions/updates to my custom filters:
Dating Spam,
Russian Bride Scam,
Diploma Spam,
Facebook Scam,
Known Spam Domains,
Pump and Dump Scam,
Work At Home Scam (3x),
Viagra [B].
New filter: Russian Bride Scam.

I made 1 changes to my custom Blacklist:
[email protected]

Continue reading "My Spam analysis & filter updates for the week of Jan 24 - 30, 2011" »

Posted by Wiz at 5:03 PM | Permalink

back to top ^

For the second week in a row, the volume has increased again. Botnets are again spewing out email spam for fake Cialis and Viagra, counterfeit watches, bogus male enlargement herbs and pills, illegal to import prescription drugs, pirated software and Work at home (Money Mule) scams.

This past 7 days, spam for various types of garbage amounted to 46% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I often see the same spam message sent to several of my accounts at the same time. I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from Jan 17-23, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Percentage classified as spam: 46%; up just 2% from last week
Number of messages classified as spam: 285 
Number classified by my custom spam filters: 255
Number and percentage of spam according to my custom blacklist: 18
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 0
Number of spam messages seen, reported to SpamCop & manually deleted: 8

Fake Viagra and Cialis: 35.90%
Pharmaceuticals and fake prescription drugs: 29.67%
Counterfeit (Rolex, etc) Watches: 10.99%
Known Spam Domains in links (usually Russian: .RU): 8.79%
Blacklisted sender names and domains (my blacklist): 6.59%
Male Enhancement scams: 2.20%
Other Filters (with small percentages): 1.83%
Nigerian 419 Scam: 1.10%
Software Spam: 1.10%
Work At Home Scam: 1.10%
Re: (digits): 0.73%

I made 2 additions/updates to my custom filters:
Work At Home Scam (2x)

I made 0 changes to my custom Blacklist:

Continue reading "My Spam analysis & filter updates for the week of Jan 17 - 23, 2011" »

Posted by Wiz at 4:43 PM | Permalink

back to top ^

After three steady weeks of declining spam, the volume has spiked up again. Botnets are again spewing out email spam for fake Cialis and Viagra, counterfeit watches, bogus male enlargement herbs and pills, illegal to import prescription drugs, pirated software and Russian dating scams.

This past 7 days, spam for various types of garbage amounted to 44% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I often see the same spam message sent to several of my accounts at the same time. I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from Jan 10-16, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Percentage classified as spam: 44%; up 12% from last week
Number of messages classified as spam: 237 
Number classified by my custom spam filters: 228
Number and percentage of spam according to my custom blacklist: 1
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 0
Number of spam messages seen, reported to SpamCop & manually deleted: 12

Fake Viagra and Cialis: 34.50%
Pharmaceuticals and fake prescription drugs: 21.83%
Counterfeit (Rolex, etc) Watches: 13.54%
Male Enhancement scams: 10.92%
Dating Spam (Russian Bride scams): 7.42%
Known Spam Domains in links (usually Russian: .RU): 3.49%
Software Spam: 3.06%
Other Filters (with small percentages): 2.18%
Numeric IP (to malware attack sites): 0.87%
Lottery Scam: 0.87%
Work AT Home Scam: 0.87%
Blacklisted sender names and domains: 0.44%

I made 3 additions/updates to my custom filters:
Lottery Scam
Work At Home Scam
Pump and Dump Stock Scam

I made 0 changes to my custom Blacklist:

Continue reading "My Spam analysis & filter updates for the week of Jan 10 - 16, 2011" »

Posted by Wiz at 2:52 PM | Permalink

back to top ^

Again this week, fewer spammers than previously are still promoting fake Cialis and Viagra, counterfeit watches, bogus male enlargement herbs and pills, illegal to import prescription drugs, fake e-cards or messages containing only a link to malware exploit sites, fake product recommendations and dating scams.

This past 7 days, spam for various types of garbage amounted to 32% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I often see the same spam message sent to several of my accounts at the same time. I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from Jan 3 - 9, 2011. These classifications are based upon my own custom MailWasher spam filters.

Percentage classified as spam: 32%; down 6% from last week (-16% over 2 wks!)
Number of messages classified as spam: 139 
Number classified by my custom spam filters: 127
Number and percentage of spam according to my custom blacklist: 1
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 0
Number of spam messages seen, reported to SpamCop & manually deleted: 1

Pharmaceuticals and fake prescription drugs: 31.25%
Fake Viagra and Cialis: 21.88%
Counterfeit (Rolex, etc) Watches: 19.53%
Male Enhancement scams: 19.53%
Pills: 3.91%
Known Spam Domains in links (usually Russian: .RU): 1.56%
Blacklisted sender names and domains: 0.78%
Dating Spam (Russian Bride scams): 0.78%
E-Card Scam (containing Botnet infection links): 0.78%

I made 1 additions/updates to my custom filters:
New filter: E-card Scam (Storm 3.0 or Waledac 2.0 Botnet)

I made 0 changes to my custom Blacklist:

Continue reading "My Spam analysis & filter updates for the week of Jan 3 - 9, 2011" »

Posted by Wiz at 3:07 PM | Permalink

back to top ^

I publish a weekly report on my personal analysis of spam volume and categories, on this blog. Over the last quarter of 2010 there has been a very significant drop in the volume of mail classified as spam. In fact, since spam peaked at 70% of my incoming mail for the week of June 14 through 20, 2010, it declined 45 percent over the last week of December, 2010, through January 2, 2011.

Prologue

Other security companies and writers have also been curious about why this huge decline has occurred. Now, we may have found some believable answers to that question. There is a threefold answer that I believe will explain this phenomena: Botnet command and control server shutdowns, arrests of Bot Masters and the closure of a spam affiliate program.

First of all, virtually all spam is sent through compromised (Windows) computers that have been infected with Bot programs that cause them to become spam relays. The actual spammers buy the use of Botnets, which are owned and maintained by seasoned cyber criminals, many of whom reside in the former USSR. These (Russian, Ukrainian, Latvian, etc,) "Bot Herders" have until recently enjoyed total immunity from prosecution by means of payoffs and by flying under the "radar" of local authorities. That began to change in the Fall of 2010.

Since October, 2010, there have been a number of high profile arrests made of the individuals behind the major Botnets and the purveyors of the files that are used to infect PCs. Some of the World's most prolific spammers and Bot Masters are either in jail, or under indictment in the USA, Spain, The Ukraine, Russia and Great Britain.

Additionally, after much input from security companies and International Police agencies, Visa, MasterCard and PayPal have ceased processing payments for sales of illegal pharmaceuticals and commissions to affiliates of several spam networks, like "Spamit," forcing them to go out of business. Spamit, a Russian crime operation, was the promoter of the now defunct (and fake) "Canadian Pharmacy" websites. Spamit paid large commissions to thousands of minor and major affiliates who rented the use of Botnets to send spam runs for the Canadian Pharmacy, and others with similar names. Spamit shut down operations in October, 2010. Spam for the "Canadian" Pharmacies still continued to account for a large percentage of all spam that month. This was due to the fact that individual spammers had already paid to use Botnets to send spam for those pharmacy sites and the spam templates were already dispensed to the zombie computers in those Botnets.

As the affiliates began to realize that they would not be paid any commissions for sales to gullible people, the volume of Canadian Pharmacy dropped, until it ceased to exist, around December, 2010.

Continue reading "Spam volumes have declined up to 45% from June to December 2010" »

Posted by Wiz at 11:50 AM | Permalink

back to top ^

This week, fewer spammers than usual are still promoting fake Cialis and Viagra, counterfeit watches, bogus male enlargement herbs and pills, illegal to import prescription drugs, fake e-cards or messages containing only a link to malware exploit sites, fake product recommendations and Nigerian 419 scams.

This past 7 days, spam for various types of garbage amounted to 38% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I often see the same spam message sent to several of my accounts at the same time. I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from Dec 27, 2010 - Jan 2, 2011. These classifications are based upon my own custom MailWasher spam filters.

Percentage classified as spam: 38%; down 10% from last week
Number of messages classified as spam: 172 
Number classified by my custom spam filters: 161
Number and percentage of spam according to my custom blacklist: 3
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 2
Number of spam messages seen, reported to SpamCop & manually deleted: 6

Counterfeit (Rolex, etc) Watches: 26.32%
Male Enhancement scams: 26.32%
Fake Viagra and Cialis: 25.73%
Pharmaceuticals and fake prescription drugs: 11.70%
Known Spam Domains in links (usually Russian: .RU): 2.92%
Blacklisted sender names and domains: 1.75%
Other miscellaneous filters (small percentages each): 1.74%
African Sender (419 scams): 1.17%
DNS Blacklisted Servers (RBL): 1.17%
Hidden ISO Subjects: 0.58%
Re: or Fwd spam: 0.58%

I made 1 additions/updates to my custom filters:
New filter: Dating Spam #2

I made 0 changes to my custom Blacklist:

Continue reading "My Spam analysis & filter updates for the week of Dec 27, 2010 - Jan 2, 2011" »

Posted by Wiz at 2:40 PM | Permalink

back to top ^

With Christmas just over, spammers took what they could from the pockets of gullible Netizens. They used a variety of come-ons, including appeals to male vanity and a few Trojans to deceive and rob people of their hard earned money.

This week, spammers are still promoting fake Viagra, counterfeit watches, bogus male enlargement herbs and pills, illegal to import prescription drugs, fake e-cards (malware) and Russian dating scams.

This past 7 days, spam for various types of garbage amounted to 48% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I often see the same spam message sent to several of my accounts at the same time. I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from December 20 - 26, 2010. These classifications are based upon my own custom MailWasher spam filters.

Percentage classified as spam: 48%; up 1% from last week
Number of messages classified as spam: 240 
Number classified by my custom spam filters: 237
Number and percentage of spam according to my custom blacklist: 3
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 0
Number of spam messages seen, reported to SpamCop & manually deleted: 5

Fake Viagra and Cialis: 24.58%
Male Enhancement scams: 20.83%
Counterfeit (Rolex, etc) Watches: 19.58%
Pharmaceuticals and fake prescription drugs: 16.67%
Known Spam Domains in links (usually Russian: .RU): 10.83%
Dating (Russian Bride scams): 3.75%
Blacklisted sender names and domains: 1.26%
Other miscellaneous filters (small percentages each): 1.25%
Charset=iso-8859-2 (Latvia, etc): 0.83%
Nigerian Lottery Scam: 0.42%

I made 2 additions/updates to my custom filters:
APNIC,
Known Spam Domains

I made 1 change to my custom Blacklist:
*e-card-delivery@+

Continue reading "My Spam analysis & filter updates for the week of Dec 20 - 26, 2010" »

Posted by Wiz at 1:49 PM | Permalink

back to top ^

With Christmas arriving this coming weekend, spammers have ramped up their efforts into overdrive, in order to divert some of your hard earned dollars into their purloined pockets. Don't be fooled by their email pitches. Spam offers are fraudulent, dealing in fake goods and payment ripoffs.

This week, spammers are mostly promoting fake Viagra, counterfeit watches, bogus male enlargement herbs and pills, illegal to import prescription drugs, and Russian dating scams.

This past 7 days, spam for various types of garbage amounted to 47% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I often see the same spam message sent to several of my accounts at the same time. I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from December 13 - 19, 2010. These classifications are based upon my own custom MailWasher spam filters.

Percentage classified as spam: 47%; down 4% from last week
Number of messages classified as spam: 322 
Number classified by my custom spam filters: 242
Number and percentage of spam according to my custom blacklist: 13
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 2
Number of spam messages seen, reported to SpamCop & manually deleted: 13

Fake Viagra and Cialis: 40.86%
Counterfeit (Rolex, etc) Watches: 19.84%
Male Enhancement scams: 10.51%
Dating (Russian Bride scams): 6.61%
Pharmaceuticals and fake prescription drugs: 6.23%
Blacklisted sender names and domains: 5.06%
Known Spam Domains in links (usually Russian: .RU): 4.67%
Numeric IP hostile link (hijacked PCs): 1.95%
Other miscellaneous filters (small percentages each): 1.95%
Charset=iso-8859-2 (Latvia, etc): 0.78%
Nigerian Lottery Scam: 0.78%
DNS Blacklisted Servers: 0.78%

I made 1 additions/updates to my custom filters:
Known Spam [From]

I made 1 change to my custom Blacklist:
*easy-e-card*@+

Take my advice and never reply to spam email, just delete it. Don't bother trying to unsubscribe from spam mail lists. Nobody ever gets de-listed; you will only confirm that your email address is valid by using the bogus unsubscribe links. Think about it: if you never signed up to receive the (fake) goods advertised in a spam email, why should you have to unsubscribe? The unsubscribe links are not honored. However, people using them are added to databases of proven live accounts and their names are sold to other spammers.

Spammers are slimeball criminals and fraudsters, not legitimate business people. Never buy anything that is spamvertised. If you do, you will give your credit or debit card details to hardened criminals, in far away places. If you purchase illicit controlled drugs from abroad, they are subject to seizure by US Customs. It is against the law to import prescription drugs without a valid prescription issued by a physician who is validly licensed in the USA. And, if you actually receive Asian prescription pills ordered from a spam email link, the drugs may do nothing, or may harm you, or even kill you.

A word regarding knockoff watches: they are made in China, have no applicable warranty, cannot be returned if defective, are sold by criminal spammers, and are inferior to the real items they are copying. If you buy a counterfeit name brand watch, know that a fool and his money soon will part! Ditto for fake diplomas that are offered from time to time and all of the fake Viagra pills and enlargement scams that appear every day.

Posted by Wiz at 12:00 AM | Permalink

back to top ^

With Christmas around the corner, spammers are ramping up their efforts to get some of your hard earned dollars and infect more machines, for use in Botnets. There is a virtual flood of crap mail deluging email inboxes this week, mostly hawking things like fake Viagra, counterfeit watches and designer bags and jewelry, illegal to import prescription drugs, bogus male enlargement herbs and pills, the tail end of a Pump and Dump penny stock scam (DYNV) scam and a handful of work at home money laundering scams (money mule recruiters for bank account stealing Trojans, like Zeus and similar info stealing Bots). There were a few phishing scams thrown into the mix, earlier in the week.

This past 7 days, spam for various types of garbage amounted to 51% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I often see the same spam message sent to several of my accounts at the same time. I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from December 6 - 12, 2010. These classifications are based upon my own custom MailWasher spam filters.

Percentage classified as spam: 51%; down 5% from last week
Number of messages classified as spam: 370 
Number classified by my custom spam filters: 353
Number and percentage of spam according to my custom blacklist: 15
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 2
Number of spam messages seen, reported to SpamCop & manually deleted: 39

Fake Viagra and Cialis: 37.30%
Counterfeit (Rolex, etc) Watches: 14.05%
Pharmaceuticals and fake prescription drugs: 13.24%
Male Enhancement scams: 7.30%
Other miscellaneous filters (small percentages each): 6.22%
Known Spam Domains in links (usually Russian: .RU): 5.68%
Counterfeit Goods: 5.41%
Blacklisted sender names and domains: 4.05%
Charset=iso-8859-2 (Latvia, etc): 2.16%
Numeric IP hostile link (hijacked PCs): 1.62%
Russian Sender: 1.35%
Work At Home Scams (money laundering stolen funds): 1.08%
DNS Blacklisted Servers: 00.54%

I made 1 additions/updates to my custom filters:
Counterfeit Goods

I made no changes to my custom Blacklist:

Take my advice and never reply to spam email, just delete it. Never buy anything that is spamvertised. If you do, you will give your credit or debit card details to hardened criminals, in far away places. If you purchase illicit controlled drugs from abroad, they are subject to seizure by US Customs. It is against the law to import prescription drugs without a valid prescription issued by a physician who is validly licensed in the USA.

A word regarding knockoff watches: they are made in China, have no applicable warranty, cannot be returned if defective, are sold by criminal spammers, and are inferior to the real items they are copying. If you buy a counterfeit name brand watch, know that a fool and his money soon will part! Ditto for fake diplomas that are offered from time to time.

Posted by Wiz at 2:47 PM | Permalink

back to top ^

Look out Christmas shoppers! Spammers are ramping up their efforts to get some of your hard earned dollars. There is a virtual flood of crap mail deluging email inboxes this week, mostly hawking things like fake Viagra, counterfeit watches, illegal to import prescription drugs, bogus male enlargement herbs and pills, Russian dating and "chat" scams and work at home money laundering scams (money mule recruiters for bank account stealing Trojans, like Zeus/Licat and similar Bots).

Note: if you fall for a money mule recruiter scam (work at home and make $$$ per day/week) and become involved in transferring stolen funds overseas, you could go to jail for being an active accomplice in a money laundering scheme (of money stolen from bank accounts by hidden keystroke logging Bots). Always use the best anti-malware protection you can afford, like Trend Micro Titanium Internet Security and Malwarebytes' Anti-Malware (MBAM). These two commercial programs can detect, remove and block most badware being released on a daily basis. If you run MBAM as freeware, make sure you update it before scanning, and scan every day!

This past 7 days, spam for various types of garbage amounted to 56% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I often see the same spam message sent to several of my accounts at the same time. I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from November 29, through December 5, 2010. These classifications are based upon my own custom MailWasher spam filters.

Percentage classified as spam: 56%; down 4% from last week
Number of messages classified as spam: 469 
Number classified by my custom spam filters: 419
Number and percentage of spam according to my custom blacklist: 23
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 5
Number of spam messages seen, reported to SpamCop & manually deleted: 30

Counterfeit (Rolex, etc) Watches: 23.49%
Fake Viagra and Cialis: 22.82%
Illegal to import and fake prescription drugs: 19.02%
Male Enhancement scams: 9.4%
Blacklisted sender names and domains: 5.15%
Other miscellaneous filters (small percentages each): 5.15%
Known Spam Domains in links (usually Russian: .RU): 4.25%
Dating/Chat scams ("Russian Brides"): 2.91%
Work At Home Scams (money laundering stolen funds): 2.24%
Numeric IP link (hijacked PCs): 1.79%
Pump and Dump Stock scams (like DYNV): 1.57%
Russian Sender: 1.12%
DNS Blacklisted Servers: 1.12%

I made 5 additions/updates to my custom filters:
APNIC (China, etc)
Dating Scams
Male Enhancement scams
Watches (fake, counterfeit Rolex, etc)
Work At Home Scams ("money mule" recruiters)

I made these changes to my custom Blacklist:
[email protected] (fails to honor repeated unsubscribe requests!)

Take my advice and never reply to spam email, just delete it. Never buy anything that is spamvertised. If you do, you will give your credit or debit card details to hardened criminals, in far away places. If you purchase illicit controlled drugs from abroad, they are subject to seizure by US Customs. It is against the law to import prescription drugs without a valid prescription issued by a physician who is validly licensed in the USA. Finally, there is no actual Canadian Pharmacy. If you see email purporting to come from Canadian Pharmacy, or any variation of those words, delete it. The non-existent company was conceived by Russian spammers. Any drugs actually shipped come from illicit pharmaceutical knockoff factories in Asia.

Posted by Wiz at 11:41 PM | Permalink

back to top ^

Look out Holiday shoppers! Spammers are ramping up their efforts to get some of your hard earned dollars. There is a virtual flood of crap mail deluging email inboxes this week, mostly hawking things like fake Viagra, counterfeit watches, illegal to import prescription drugs and bogus male enlargement herbs and pills.

This past 7 days, spam for these types of garbage amounted to 60% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I often see the same spam message sent to several of my accounts at the same time. I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from November 22, through 28, 2010. These classifications are based upon my own custom MailWasher spam filters.

Percentage classified as spam: 60%; up 6% from last week
Number of messages classified as spam: 479 
Number classified by my custom spam filters: 393
Number and percentage of spam according to my custom blacklist: 58
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 4
Number of spam messages seen, reported to SpamCop & manually deleted: 19

Counterfeit watches: 22.42%
Fake Viagra and Cialis: 21.98%
Illicit pharmaceuticals: 19.34%
Blacklisted sender names and domains: 12.75%
Male Enhancement scams: 8.57%
Known Spam Domains in links (pirated software): 4.40%

I made only one addition to my custom filters:
Eastern European Sender

I made these changes to my custom Blacklist:
*penis+@+
en1arge+@+
[email protected]
[email protected]

Take my advise and never reply to spam email, just delete it. Never buy anything that is spamvertised. If you do, you will give your credit or debit card details to hardened criminals. If you purchase illicit controlled drugs from abroad, they are subject to seizure by US Customs. It is against the law to import prescription drugs without a valid prescription issued by a physician who is validly licensed in the USA. Finally, there is no actual Canadian Pharmacy. If you see email purporting to come from Canadian Pharmacy, or any variation of those words, delete it. The non-existent company was conceived by Russian spammers. Any drugs actually shipped come from illicit pharmaceutical knockoff factories in Asia.

Posted by Wiz at 1:48 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics. These reports can help you adjust the order of your own spam filters.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

My incoming spam levels have decreased 10% this week, to 54% of all my incoming email. Most of the spam was for counterfeit Viagra, male enhancement herbal scams, illicit and dangerous pharmaceuticals, counterfeit Chinese "Rolex" watches and cuff-links, fake diplomas, Russian dating scams and pirated software hosted on a "bulletproof" Ukrainian spam server. There were a few phishing scams and a bunch of strange spams with nothing but a couple of random characters in the subject and body. These come from Latvia and neighboring countries, and use the ISO 8859-2 character code.

The classifications of spam in my analysis (below) can help you adjust your email filters according to what is most common, on a weekly basis. If you are using my custom MailWasher Pro filters, keep the filters for the highest percentage categories of spam near the top of the filters list, to minimize the impact on your CPU when analyzing incoming messages for spam content.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses.

Sometimes, your own email address is forged as the sender, as well as being the recipient. The practice of forging the recipient's own email address in the From field is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for Nov 15 - 21, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

Continue reading "My Spam analysis & filter updates for the week of Nov 15 - 21, 2010" »

Posted by Wiz at 2:02 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics. These reports can help you adjust the order of your own spam filters.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

My incoming spam levels have increased 10% this week, to 64% of all my incoming email. Most of the spam was typical junkmail for male enhancement scams, illicit pharmaceuticals, counterfeit Chinese watches and cufflinks, counterfeit Cialis and Viagra, fake diplomas, Russian dating scams, a new pump and dump stock scam, and a few fake DHL messages containing malware attachments.

The classifications of spam in my analysis (below) can help you adjust your email filters according to what is most common, on a weekly basis. If you are using my custom MailWasher Pro filters, keep the filters for the highest percentage categories of spam near the top of the filters list, to minimize the impact on your CPU when analyzing incoming messages for spam content.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses.

Sometimes, your own email address is forged as the sender, as well as being the recipient. The practice of forging the recipient's own email address in the From field is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for Nov 8 - 14, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

Continue reading "My Spam analysis & filter updates for the week of Nov 8 - 14, 2010" »

Posted by Wiz at 4:49 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics. These reports can help you adjust the order of your own spam filters.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

My incoming spam levels have decreased 1% this week, to 54% of all my incoming email. Most of the spam was typical junkmail for illicit pharmaceuticals, counterfeit Cialis and Viagra, counterfeit Chinese watches, male enhancement scams, fake diplomas, Russian dating scams 419 fraud and a few phishing scams.

The classifications of spam in my analysis (below) can help you adjust your email filters according to what is most common, on a weekly basis. If you are using my custom MailWasher Pro filters, keep the filters for the highest percentage categories of spam near the top of the filters list, to minimize the impact on your CPU when analyzing incoming messages for spam content.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses.

Sometimes, your own email address is forged as the sender, as well as being the recipient. The practice of forging the recipient's own email address in the From field is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for Nov 1 - 7, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

Continue reading "My Spam analysis & filter updates for the week of Nov 1 - 7, 2010" »

Posted by Wiz at 2:51 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics. These reports can help you adjust the order of your own spam filters.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

My incoming spam levels have decreased 11% this week, to 55% of all my incoming email. Most of the spam was typical junkmail for counterfeit Cialis and Viagra and other illicit prescription drugs, male enhancement scams, counterfeit Chinese watches, fake diplomas, Russian dating scams and pirated software (Russian).

The classifications of spam in my analysis (below) can help you adjust your email filters according to what is most common, on a weekly basis. If you are using my custom MailWasher Pro filters, keep the filters for the highest percentage categories of spam near the top of the filters list, to minimize the impact on your CPU when analyzing incoming messages for spam content.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses.

Sometimes, your own email address is forged as the sender, as well as being the recipient. The practice of forging the recipient's own email address in the From field is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for Oct 25 - 31, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

Continue reading "My Spam analysis & filter updates for the week of Oct 25 - 31, 2010" »

Posted by Wiz at 4:29 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics. These reports can help you adjust the order of your own spam filters.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

My incoming spam levels have increased 3% this week, to 66% of all my incoming email. Most of the spam was typical junkmail for counterfeit Cialis and Viagra and other illicit prescription drugs, male enhancement scams, counterfeit Chinese watches, fake diplomas, "pics" dating scams from Russia and a few phishing scams.

The classifications of spam in my analysis (below) can help you adjust your email filters according to what is most common, on a weekly basis. If you are using my custom MailWasher Pro filters, keep the filters for the highest percentage categories of spam near the top of the filters list, to minimize the impact on your CPU when analyzing incoming messages for spam content.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses.

Sometimes, your own email address is forged as the sender, as well as being the recipient. The practice of forging the recipient's own email address in the From field is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for Oct 18 - 24, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

Continue reading "My Spam analysis & filter updates for the week of Oct 18 - 24, 2010" »

Posted by Wiz at 2:08 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics. These reports can help you adjust the order of your own spam filters.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

My incoming spam levels have increased 2% this week, to 63% of all my incoming email. Most of the spam was typical junkmail for counterfeit Cialis and Viagra and other illicit prescription drugs, male enhancement scams, counterfeit Chinese watches, fake diplomas, "pics" dating scams from Russia and a slew fake Electronic Tax Payment phishing scams.

October 1st saw the shutdown of the criminal Spamit affiliate payment network through which the spammers promoting the fake "Canadian Pharmacy" websites received commissions. They simply moved over the already operating medical and dating spam affiliate network: Bunker.biz. That operation is run out of The Ukraine and Russia, with fake pharmacy websites hosted on compromised PCs belonging to various spam Botnets. The replacements for the now dead "Canadian Pharmacy" network are Canadian Neighbor Pharmacy and Canadian Health and Care Mall. No matter what name they go by, or certificates and licenses they display, they are all fake, as are the drugs they sell. They are as Canadian as the Pope! The sole reason for their existence is to scam gullible Americans into using their credit and debit cards to buy fake pharmaceuticals.

The classifications of spam in my analysis (below) can help you adjust your email filters according to what is most common, on a weekly basis. If you are using my custom MailWasher Pro filters, keep the filters for the highest percentage categories of spam near the top of the filters list, to minimize the impact on your CPU when analyzing incoming messages for spam content.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses.

Sometimes, your own email address is forged as the sender, as well as being the recipient. The practice of forging the recipient's own email address in the From field is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for Oct 11 - 17, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

Continue reading "My Spam analysis & filter updates for the week of Oct 11 - 17, 2010" »

Posted by Wiz at 12:14 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics. These reports can help you adjust the order of your own spam filters.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

My incoming spam levels have increased 3% this week, to 61% of all my incoming email. Most of the spam was typical junkmail for fake Cialis and Viagra, illicit prescription drugs, male enhancement scams, counterfeit Chinese watches, fake diplomas and a few fake Electronic Tax Payment scams. I also saw one new Twitter scam, which may be something to watch for next week.

October 1st saw the shutdown of the affiliate payment network through which the promoters (spammers) of the fake "Canadian Pharmacy" websites received commissions. These sites have plagued the Internet for about 4 years until now. The operation and creation of website templates was run out of Russia, but the fake websites were all hosted on compromised PCs belonging to various spam Botnets. The drugs they delivered, if they delivered any at all, were counterfeit and made in China and India. All were illegal to import into the USA or Canada and many unwary buyers had their drugs seized by Customs. It is an established fact that the Canadian Pharmacy websites have absolutely nothing to do with Canada. All of the testimonials, logos and certificates on those site were either stolen or fake.

The classifications of spam in my analysis (below) can help you adjust your email filters according to what is most common, on a weekly basis. If you are using my custom MailWasher Pro filters, keep the filters for the highest percentage categories of spam near the top of the filters list, to minimize the impact on your CPU when analyzing incoming messages for spam content.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses.

Sometimes, your own email address is forged as the sender, as well as being the recipient. The practice of forging the recipient's own email address in the From field is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for Oct 4 - 10, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

Continue reading "My Spam analysis & filter updates for the week of Oct 4 - 10, 2010" »

Posted by Wiz at 2:37 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics. These reports can help you adjust the order of your own spam filters.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

My incoming spam levels have decreased 2% this week, to 58% of all my incoming email. Most of the spam was typical junkmail for counterfeit Chinese watches, fake Cialis and Viagra, illicit prescription drugs and male enhancement scams. There were also some new variations of malware in attachments scams, in fake CV resumes in zip files. There was a dangerous link spam campaign, posing as LinkedIn messages, leading to serious exploit attacks and the Zeus banking credential stealing Trojan. Finally, there was spam for fake diplomas, and some pirated OEM software, hosted on Russian domains.

The LinkedIn attack was coordinated and sent (via Botnets) by the same people behind the malware infected fake CV resumes (Zeus Trojan). They are headquartered in The Ukraine and 5 of them were just arrested this week. Another 11 were arrested in The UK and dozens more were arrested or had warrants issued in the USA. Almost all are Russians, Ukrainians and people from other Eastern European countries. Quite a few in the US are Russian students here on J1 Student Visas.

The classifications of spam in my analysis (below) can help you adjust your email filters according to what is most common, on a weekly basis. If you are using my custom MailWasher Pro filters, keep the filters for the highest percentage categories of spam near the top of the filters list, to minimize the impact on your CPU when analyzing incoming messages for spam content.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses.

Sometimes, your own email address is forged as the sender, as well as being the recipient. The practice of forging the recipient's own email address in the From field is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for Sept 27 - Oct 3, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

Continue reading "My Spam analysis & filter updates for the week of Sept 27 - Oct 3, 2010" »

Posted by Wiz at 3:18 PM | Permalink

back to top ^

The following is a guest article submitted by Veronica Henry, on behalf of GFI Software, a leading software developer that produces network and messaging security solutions for SMBs. More information about GFI anti-spam solution can be found at http://www.gfi.com/mes.

Spam comes in two varieties: the more harmless advertising form, or the more malicious - released with the intent to pilfer data. In either instance though, service disruption is a real possibility. Precious network bandwidth may become clogged, bringing company operations to a standstill. And proprietary or customer sensitive data breach can result in additional financial and reputation damages.

The question of how to avoid spam begins with the discussion of how your email address winds up in the hands of spammers. There are a number of ways, from employee misuse to directory harvest attacks. The answer then, lies in first learning to protect your online identity.

For many end-users, how to prevent spam is an afterthought. They may have grown accustomed to clicking the "spam" button on their email clients and giving no further thought to how their own actions may contribute to the problem. Consequently, corporations should consider employee education a critical component to their spam eradication policies.

Simple steps like not clicking on suspicious links or not copying other employees on chain emails could go a long way towards not introducing the problem into the work environment.

While a good initial strategy, in truth, these steps are often not enough. Sooner or later, an offender will appear in your inbox. So, in order to address the issue in the most efficient manner, a software-based solution is called for.

There are two forms of anti-spam software in this category: host (or pc) or server based. For the enterprise, a server solution, managed by skilled system administrators, is probably best. It works by identifying potential spam and filtering such that only legitimate emails are forwarded to the intended recipient on the corporate network. This can alleviate employees of the productivity-sapping task of managing spam, and can ease the strain on already taxed server resources.

Spam is a problem that doesn't show any signs of waning, so having a solid software-based solution, that is customizable, will ensure that your corporate network will become less susceptible to spam and its associated risks.

Additional readings:

Bayesian Spam Filtering
Why spamming is an easy business - and the problems it causes

This guest post was provided by Veronica Henry on behalf of GFI Software, a leading software developer that produces network and messaging security solutions for SMBs. More information about GFI anti-spam solution can be found at http://www.gfi.com/mes

All product and company names herein may be trademarks of their respective owners.

Posted by Wiz at 12:29 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics. These reports can help you adjust the order of your own spam filters.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

My incoming spam levels have increased a whopping 12% this week, to 60% of all my incoming email. Most of the spam was typical junkmail for counterfeit Chinese watches, fake Cialis and Viagra, illicit prescription drugs and male enhancement scams. There was a continuation of a strange type of spam, with the subject "hello" and the body text: "How are you?" There were also some new variations of malware in attachments scams, such as fake UPS invoices and fake CV resumes in zip files. Finally, there was a measurable amount of spam for fake diplomas and pirated OEM software, hosted on Russian domains.

The classifications of spam in my analysis (below) can help you adjust your email filters according to what is most common, on a weekly basis. If you are using my custom MailWasher Pro filters, keep the filters for the highest percentage categories of spam near the top of the filters list, to minimize the impact on your CPU when analyzing incoming messages for spam content.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses.

Sometimes, your own email address is forged as the sender, as well as being the recipient. The practice of forging the recipient's own email address in the From field is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for Sept 20 - 26, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

Continue reading "My Spam analysis & filter updates for the week of Sept 20 - 26, 2010" »

Posted by Wiz at 4:33 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics. These reports can help you adjust the order of your own spam filters.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

My incoming spam levels have decreased 5% this week, to 48% of all my incoming email. Most of the spam was typical junkmail for counterfeit Chinese watches, fake Cialis and Viagra, illicit prescription drugs and male enhancement scams. There was also a new type of spam in the wild, with the subject "hello" and the body text: "How are you?" I'm not sure if this was a dry run for a spam blast, or if the reply to addresses are being monitored by Botmasters, or spammers.

The classifications of spam in my analysis (below) can help you adjust your email filters according to what is most common, on a weekly basis. If you are using my custom MailWasher Pro filters, keep the filters for the highest percentage categories of spam near the top of the filters list, to minimize the impact on your CPU when analyzing incoming messages for spam content.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses.

Sometimes, your own email address is forged as the sender, as well as being the recipient. The practice of forging the recipient's own email address in the From field is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for Sept 13 - 19, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

Continue reading "My Spam analysis & filter updates for the week of Sept 13 - 19, 2010" »

Posted by Wiz at 11:49 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics. These reports can help you adjust the order of your own spam filters.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

My incoming spam levels have increased 1% this week, to 54% of all my incoming email. Most of the spam was typical junkmail for counterfeit Chinese watches, fake Cialis and Viagra, illicit prescription drugs and male enhancement scams.

The classifications of spam in my analysis (below) can help you adjust your email filters according to what is most common, on a weekly basis. If you are using my custom MailWasher Pro filters, keep the filters for the highest percentage categories of spam near the top of the filters list, to minimize the impact on your CPU when analyzing incoming messages for spam content.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses.

Sometimes, your own email address is forged as the sender, as well as being the recipient. The practice of forging the recipient's own email address in the From field is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for Sept 6 - 12, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

Continue reading "My Spam analysis & filter updates for the week of Sept 6 - 12, 2010" »

Posted by Wiz at 4:06 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics. These reports can help you adjust the order of your own spam filters.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

My incoming spam levels have decreased 1% this week, to 53% of all my incoming email. I saw a few new fake FedEx courier infected attachment exploits this week. These contain the Bredolab Trojan downloader that downloads and installs the Zeus banking credentials stealer. All the the rest of the spam was typical junkmail for counterfeit Chinese watches, fake Cialis and Viagra, illicit prescription drugs, male enhancement scams and fake diploma scams.

The classifications of spam in my analysis (below) can help you adjust your email filters according to what is most common, on a weekly basis. If you are using my custom MailWasher Pro filters, keep the filters for the highest percentage categories of spam near the top of the filters list, to minimize the impact on your CPU when analyzing incoming messages for spam content.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses.

Sometimes, your own email address is forged as the sender, as well as being the recipient. The practice of forging the recipient's own email address in the From field is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for Aug 30 - Sept 5, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

Continue reading "My Spam analysis & filter updates for the week of Aug 30 - Sept 5, 2010" »

Posted by Wiz at 10:32 AM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics. These reports can help you adjust the order of your own spam filters.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

My incoming spam levels have increased 6% this week, to 54% of all my incoming email. I saw a few new courier infected attachment exploits this week. All the the rest of the spam was typical junkmail for counterfeit Chinese watches, fake Cialis and Viagra, illicit prescription drugs, male enhancement scams, pirated software, and fake diploma scams.

The classifications of spam in my analysis (below) can help you adjust your email filters according to what is most common, on a weekly basis. If you are using my custom MailWasher Pro filters, keep the filters for the highest percentage categories of spam near the top of the filters list, to minimize the impact on your CPU when analyzing incoming messages for spam content.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses.

Sometimes, your own email address is forged as the sender, as well as being the recipient. The practice of forging the recipient's own email address in the From field is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for August 23 - 29, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

Continue reading "My Spam analysis & filter updates for the week of Aug 23 - 29, 2010" »

Posted by Wiz at 11:16 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics. These reports can help you adjust the order of your own spam filters.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

My incoming spam levels have decreased 8% this week, to 48% of all my incoming email. This represents a 12% decline over two weeks. I saw 2 new DHL infected attachment exploits this week. All the the rest of the spam was typical junkmail for counterfeit Chinese watches, fake Cialis and Viagra, illicit prescription drugs, male enhancement scams, pirated software, and a few Nigerian lottery and 419 scams.

The classifications of spam in my analysis (below) can help you adjust your email filters according to what is most common, on a weekly basis. If you are using my custom MailWasher Pro filters, keep the filters for the highest percentage categories of spam near the top of the filters list, to minimize the impact on your CPU when analyzing incoming messages for spam content.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses.

Sometimes, your own email address is forged as the sender, as well as being the recipient. The practice of forging the recipient's own email address in the From field is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for August 16 - 22, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

Continue reading "My Spam analysis & filter updates for the week of Aug 16 - 22, 2010" »

Posted by Wiz at 12:52 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics. These reports can help you adjust the order of your own spam filters.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

There was news today on the anti-spam front. It was just reported that the #2 spammer in the world, Leo Kuvayev, is sitting in jail, awaiting trial in Russia, on charges of molesting over 50 young girls he lured away from Russian orphanages. Kuvayev is responsible for operating bogus online pharmacies, porn sites, including child porn, pirated OEM software and related affiliate programs for these illegal activities. His organization is called BadCow and his partner in crime is running it in his absence. Many of the spam messages we receive on a daily basis are sent by Botnets under his control, or operated by his associates. The spammers themselves are affiliates of BadCow. When spam recipients are foolish enough to purchase a spamvertised item, the affiliate spammers earn a commission and Leo Kuvayev lines his pockets even more.

My incoming spam levels have decreased 4% this week, to 56% of all my incoming email. I didn't see any new types of spam this week. All the the spam that botnets are sending out this week is typical junkmail for counterfeit Chinese watches, fake Viagra, illicit prescription drugs - sans the prescription, male enhancement scams, pirated software, fake diplomas and Nigerian lottery and 419 scams. Many of the pirated software domains this week are hosted in the Ukraine. Most Russian sender spam was for counterfeit watches.

The classifications of spam in my analysis (below) can help you adjust your email filters according to what is most common, on a weekly basis. If you are using my custom MailWasher Pro filters, keep the filters for the highest percentage categories of spam near the top of the filters list, to minimize the impact on your CPU when analyzing incoming messages for spam content.

My blacklisted senders list was fairly effective this week, auto-deleting ~5.5% of all incoming spam. 57 of this week's spam messages also included my own account names in the From and Subject and most were selling fake Viagra or male enhancement junk. This illegal spam practice is known as a "Joe Job" and it is used to slip spam past our own filters. Joe Jobs depend on people white-listing their own accounts and domains. Fortunately, MailWasher custom filters allow you to override the friends list, so you can easily detect and delete Joe Job spam, if you are using MailWasher Pro as your spam filter.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for August 9 - 15, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

Continue reading "My Spam analysis for the week of August 9 - 15, 2010" »

Posted by Wiz at 3:06 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics. These reports can help you adjust the order of your own spam filters.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

My incoming spam levels have increased 9% this week, to 60% of all my incoming email. I didn't see any new types of spam this week. All the the spam that botnets are sending out this week is typical junkmail for counterfeit Chinese watches, fake Viagra, illicit prescription drugs - sans the prescription, male enhancement scams, pirated software, fake diplomas and Nigerian lottery and 419 scams. Many of the pirated software domains this week are hosted in Vietnam and China. Most Russian sender spam was for counterfeit watches.

The classifications of spam in my analysis (below) can help you adjust your email filters according to what is most common, on a weekly basis. If you are using my custom MailWasher Pro filters, keep the filters for the highest percentage categories of spam near the top of the filters list, to minimize the impact on your CPU when analyzing incoming messages for spam content.

My blacklisted senders list was quite effective this week, auto-deleting ~7% of all incoming spam. 66 of this week's spam messages also included my own account names in the From and Subject and most were selling fake Viagra or male enhancement junk. This illegal spam practice is known as a "Joe Job" and it is used to slip spam past our own filters. Joe Jobs depend on people white-listing their own accounts and domains. Fortunately, MailWasher custom filters allow you to override the friends list, so you can easily detect and delete Joe Job spam, if you are using MailWasher Pro as your spam filter.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for August 2 - 8, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

Continue reading "My Spam analysis for the week of August 2 - 8, 2010" »

Posted by Wiz at 12:27 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics. These reports can help you adjust the order of your own spam filters.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

My incoming spam levels have increased 2% this week, to 51% of all my incoming email. I didn't see any new types of spam this week. All the the spam that botnets are sending out this week is typical junkmail for fake Viagra, illicit prescription drugs - sans the prescription, male enhancement scams, Nigerian lottery and 419 scams, Fake diplomas, counterfeit watches and pirated software. All of the pirated software is hosted on websites ending with .RU, which are Russian domains. The servers allowing this crap to go on are located in China.

The classifications of spam in my analysis (below) can help you adjust your email filters according to what is most common, on a weekly basis. If you are using my custom MailWasher Pro filters, keep the filters for the highest percentage categories of spam near the top of the filters list, to minimize the impact on your CPU when analyzing incoming messages for spam content.

My blacklisted senders list was quite effective this week, auto-deleting ~10% of all incoming spam. 41 of this week's spam messages also included my own account names in the From and Subject and most were selling fake Viagra or male enhancement junk. This illegal spam practice is known as a "Joe Job" and it is used to slip spam past our own filters. Joe Jobs depend on people white-listing their own accounts and domains. Fortunately, MailWasher custom filters allow you to override the friends list, so you can easily detect and delete Joe Job spam, if you are using MailWasher Pro as your spam filter.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for July 26 - Aug 1, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

Continue reading "My Spam analysis for the week of July 26 - Aug 1, 2010" »

Posted by Wiz at 4:01 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics. These reports can help you adjust the order of your own spam filters.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

My incoming spam levels have decreased 5% this week, to 49% of all my incoming email. New this week is a run of fake, but authentic looking scams forging Amazon.com order confirmations, complete with a fake, but properly formatted purchase order code in the subject. The message bodies should be a giveaway to anybody who reads them thoroughly, because the greeting lists your email address, instead of your legal name (real Amazon orders always include your real name). Plus, the dollar amounts shown don't match or add up. Further, when you hover your pointer over the links they all go to the same destination, which is NOT on Amazon.com! These links lead to a scripted exploit attack which results in unprotected PCs becoming members of a Botnet.

The classifications of spam in my analysis (below) can help you adjust your email filters according to what is most common, on a weekly basis. If you are using my custom MailWasher Pro filters, keep the filters for the highest percentage categories of spam near the top of the filters list, to minimize the impact on your CPU when analyzing incoming messages for spam content.

My blacklisted senders list was quite effective this week, auto-deleting 10.46% of all incoming spam. Many (53) of this week's spam messages also included my own account names in the From and Subject and most were selling fake Viagra. This illegal spam practice is known as a "Joe Job" and it is used to slip spam past our own filters. Joe Jobs depend on people white-listing their own accounts and domains. Fortunately, MailWasher custom filters allow you to override the friends list, so you can easily detect and delete Joe Job spam, if you are using MailWasher Pro as your spam filter.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for July 19 - 25, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

Continue reading "My Spam analysis for the week of July 19 - 25, 2010" »

Posted by Wiz at 2:41 PM | Permalink

back to top ^

As I write this I am looking at the fourth Amazon.com scam message I have received in the last 24 hours. These messages are professionally composed and very closely resemble an actual similar email that one receives after making a purchase at Amazon.com. However, there are some telltale differences, listed below, that give away the fake notices. All of the current scams have this subject:

Your Amazon.com Order (D2 numbers-7 numbers-7 numbers). This is exactly the same layout as a real confirmation for Amazon.com.

Before I tell you how to differentiate between a legitimate Amazon order confirmation and the fakes, I want to show you where you will end up if you are tricked into clicking on a link in a fake Amazon notice. In the sample of the fake notice before me, everything looks like an official order confirmation for an Amazon.com purchase, all the way down to the graphics and most, but not all of the text (see next paragraph). The main difference is that every single clickable link in the fake message leads to a domain that is not on amazon.com at all. All links lead to the same hostile location, via a 301 Apache web server redirect, created in an .htaccess file on a compromised VPS web server. The new location of this redirection is, in this instance: actcountry.ru:8080, which is hosted on a an nginx Russian web server, on an unconfigured dedicated server in France, belonging to OVH Hosting.

At this moment the payload is offline, but it could return at any time, or may appear on another server used in the domain redirection scripts. There is no doubt that the payload was not friendly to most browsers on Windows operating systems.

The rest of the details about identifying fake Amazon purchase confirmations, follow in my extended comments.

Continue reading "Beware of fake Amazon.com purchase order scams" »

Posted by Wiz at 2:23 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics. These reports can help you adjust the order of your own spam filters.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

My incoming spam levels have increased 2% this week, to 54% of all my incoming email. New this week is a dangerous attachment pretending to be a scann from a Xerox WorkCenter Pro. This attack is probably targeted at businesses which may exchange Xerox documents online, or via email. In the case of this spam run, the attachments are inside a Zipfile and are actually the Trojan downloader named "Oficla," or "Meredrop." If you execute that enclosed fake document your PC will be taken over by criminal Botmasters in Eastern Europe.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. If you are using my custom MailWasher Pro filters, keep the filters for the highest percentage categories of spam near the top of the filters list, to minimize the impact on your CPU when analyzing incoming messages for spam content.

My blacklisted senders list was quite effective this week, auto-deleting almost 11% of all incoming spam. Many (51) of this week's spam messages also included my own account names in the From and Subject and most were selling fake Viagra. This illegal spam practice is known as a "Joe Job" and it is used to slip spam past our own filters. Joe Jobs depend on people white-listing their own accounts and domains. Fortunately, MailWasher custom filters allow you to override the friends list, so you can easily detect and delete Joe Job spam, if you are using MailWasher Pro as your spam filter.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for July 12 - 18, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

Continue reading "My Spam analysis for the week of July 12 - 18, 2010" »

Posted by Wiz at 1:44 PM | Permalink

back to top ^