Spam volume increasing as Srizbi Botnet is reactivated
On November 14, 2008, I published an article on my blog about how spam had dropped significantly following the shutdown of McColo, a server co-location hosting company. The reason for the huge drop in spam was because several of the World's largest and busiest Botnets had their Command and Control (C&C) servers housed and connected to the Internet by McColo. The C&C servers send instructions and spam templates to the Zombies under their control. When those C&C servers lost their connections to the Internet the Zombie computers in the Botnets they controlled all fell silent; becoming sleeper agents awaiting new instructions from new Controllers.
Today I began seeing an increase in the number of spam emails arriving in my spam screening program, MailWasher Pro. I did a little digging into security news and discovered that this increase is not a coincidence. Apparently, the so-called "Srizbi Botnet" has been rebuilding its C&C computers, which are now hosted in Estonia. Those C&C machines are now issuing instructions to the sleeping zombies, which are awakening and beginning to send out spam again. While researchers and detectives are able to identify the new locations of those C&C machines, shutting them down will be difficult, as the people hosting them and local Government officials could care less about the damage being done by the Botnets under their control.
Whether today's spam is coming from the Srizbi Botnet, or some other Botnet is unimportant to spam recipients. Unless you are a security researcher you are probably more interested in blocking this spam than in knowing who designed it and ordered it to be sent to you. I can help you do that, using special rules in a spam filtering program named MailWasher Pro. This can only be done if you read your email in a POP3 desktop email client, like Outlook, Outlook Express, Windows Live Mail, Apple Mail, Mozilla Thunderbird, etc. MailWasher Pro stands between the Internet email servers and your desktop email client, where it filters out spam, scams and virus threats, before downloading any messages to your desktop email client. If you are not already using MailWasher Pro you can read about it here and download a trial or purchase a copy for yourself.
The first prong in my attack against spam is to add wildcard email addresses, that spammers repeatedly forge as the sender, to the program's Blacklist. Blacklist rules are processed before other types of rules, so the wildcard addresses in the Blacklist will cut down a lot on the amount of unclassified spam you have to deal with. Open MailWasher Pro, click on the "View" menu item, then select "Filter Side Bar." The Filter Side Bar will appear on the right side of the program. It has three tabbed sections: "Friends List" and "Blacklist" and "Filters." Click on the "Blacklist" tab, then click on the round green "Add" button. A new "Add address to list" box will open. Click on the option "Wildcard expression." Copy and paste, or type in the following codes, one per Blacklist entry, then click OK to close each new entry box. Repeat the sequence for each of the six Blacklist additions listed below. The first two entries are very commonly matched right now.
kef+diz@+
lin+met@+.de
dw+m@+
_+@+.+
-+@+.+
+@mail.*ru
After saving these Blacklist Wildcard rules you must decide how you want MailWasher Pro to deal with the messages matching these expressions. While still in the mail Blacklist tab, click on the "Options" button. In the "Actions" section select "Delete the email." Just under that you can choose whether that happens manually, where you see the email flagged as "Blacklisted" in the incoming messages list, or if any messages matching those criteria are automatically deleted off the email server, on the spot. I use automatic deletion, as nobody I communicate with has an email prefix or suffix matching these criteria. To be safe, use manual deletion for a while, while listing (add to Friends list) any false detections, then switch to "Automatically, without notification" when you are confident in the accuracy of these (and other) Blacklist rules.
Next, go to my MailWasher Pro Custom Filters web page and scroll down to the iframe, in which one of my three versions of my custom MailWasher Pro filters will be loaded. Read the notes about each of these filters and choose the one that you prefer to use. You can either copy and paste the rules from the iframe into your own "filters.txt" file, or download the file, deposit it into the appropriate location, renaming it to filters.txt if required. MailWasher Pro keeps all user settings, filters and white/black lists in your logged-in identity's %AppData%\MailWasherPro folder. You may need to edit your Folder View settings to unhide hidden and system files and folders, and show known extensions, to see these files. You can also locate and open the data folder where the filters.txt lives by clicking on "Help" (with MailWasher Pro open), then "About," then click on the link to your application data files, at the bottom of the "About" box. More details about using my filters are found on the aforementioned Custom Filters web page.
If you choose manual deletion of email messages that match a MailWasher Pro Blacklist or custom filter rule, the messages that are matched by that rule will be flagged by the name of the custom filter, or else will say "Blacklisted," if they match a sender's wildcard address in the Blacklist.
Between using the Wildcard Blacklist entries and my custom filter rules, which are regularly updated, you will be able to cut down to just a trickle the amount of spam messages you have to read before realizing they are indeed spam. If you set the rules to automatically delete spam without notification, you will only see a few variants that I have not yet created rules for (but will create soon). I estimate that my automatic deletion rules and Blacklist entries remove 95% of the incoming spam without my ever having to look at it. Mistakes are restored via the built-in configurable Recycle Bin.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.