My Spam analysis for Aug 11 - 17, 2008
This is the latest entry in a series about classifications of spam, according to my custom filter rules used by the anti-spam tool, MailWasher Pro.
MailWasher Pro is a spam screening program that goes between your email servers and your desktop email client (application). It uses a variety of techniques to recognize what is and isn't spam, including a learning filter and user created custom filter rules. I personally write and use MailWasher Pro custom filters to detect and delete most incoming spam email. I have created and published a large assortment of spam filters which "plug-in" to MailWasher Pro, to flag or delete known spam. You can read about them, or download and use them in your own registered copy of MailWasher Pro.
MailWasher Pro has a "Statistics" display page that breaks down the types of spam it has deleted, listed by categories. Each program and user-created filter has a name and when a measurable percentage of spam is matched by a particular filter it shows up in the Statistics, with its percentage shown next to it. The percentages for various categories of spam listed below are taken from my MailWasher Pro "Statistics" page.
The category "Other Filters" combines several of my custom filters which did not receive enough spam to rate a measurable percentage, thus were all grouped into the one category; "Other."
The most prevalent social engineering email threat continues to be a video exploit link scam that has a subject and sender containing the words "Breaking Alert" or "Breaking News." This threat is sent from a humongous botnet, and has transformed from claiming to be a CNN "My Custom Alert," to an "msnbc.com Breaking News," to the current just "Breaking News." All of these contain lines about fake breaking news stories, and all contain disguised links to a compromised web site hosting a payload named "get_flash(_update).exe" - or a variation thereof. This is not the real Adobe Flash Player, but a fake Video Codec, containing malware that has been identified as being either a "Tibs," "Zlob," or "Storm/Nuwar" Trojan variant. If you are lured to a web page containing such a link (mouse-over links to see their destination in your browser's status bar, on the bottom), and you survive the automatic attempts to exploit browser vulnerabilities, do not click on the download links offered to you! There may be a pop-up message claiming you require a video codec, or ActiveX Object to view a news story, but it is a trick to fool you into self-installing the Trojan.
If you have clicked on one of these Trojan download links and allowed the file to be installed, you are probably in need of the services of an up-to-date anti-spyware program. I recommend Spyware Doctor, from PC Tools, because it specializes in spyware detection and removal, and is updated very frequently. As Spyware tools go, Spyware Doctor is one of the top rated in the industry. It gets the job done where others fail.
MailWasher Pro spam category breakdown for August 11 - 17, 2008. Spam amounted to 47% of incoming email this week.
Video Exploit links to Trojan download: | 21.47% |
---|---|
Male enhancement spam (subject or body): | 15.95% |
Other filters: (See my MWP Filters page) | 15.34% |
Pharmaceutical spam (inc. Viagra, Cialis, Levitra & misc. pills & herbals): | 14.10% |
Loans/Bankruptcy/Insurance Scams: | 13.50% |
Blacklisted Domains/Senders: (by pattern matching wildcard rules) | 6.75% |
Known Spam Subjects: | 4.91% |
Counterfeit Watches: | 3.68% |
Image Spam: | 2.45% |
DNS Blacklists: | 1.23% |
Bayesian learning filter: | 0.62% |
If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as an incoming email screener for your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft Live Mail, Eudora, Mozilla and other stand-alone email programs).
Update on 8/18/2008
On Monday, August 18, 2008, the video news exploit scams changed again. This time the spam email subject is "Weekly top news" and the sender's name is set to "Top News Agency." The disguised link from this spam run points to a file on a compromised computer or server, ending with the file name "index1.html," with the anchor text: "Read All (two numbers) breaking news."
This combination is likely to change in a day or two, so be on a heightened state of alert concerning any unexpected email mentioning "News" in the subject or body, referring to alleged breaking news stories around the World.
Anybody foolish enough to click on the link in these scam emails will be fast forwarded to a compromised web site where they will be subjected to attempted driveby downloads, followed by manual encouragement to download a file ("install.exe"), which carries this social trickery text:
'You must download Video ActiveX Object to play this video file.
The file offered to you is not a "Video ActiveX Object," nor Adobe's Flash Player, nor a "Missing Video Codec." It is a very hostile Trojan file that will recruit your computer into a huge Botnet, for use in illegal activities such as spamming or distributed denial of service attacks against pro-Western governments in the former Soviet Union, security organizations or popular websites that annoy the mostly Russian bot herders.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.