My Spam analysis for April 20 - 26, 2009
This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.
If you use MailWasher Pro you can enable the Blacklist function and add some pattern matching blacklist filters to automatically delete spam messages containing a forged From address matching either of these Regular Expressions: lin+met@+.de and kef+diz@+, in MailWasher Pro. The interesting fact about those two rules is that the same forged domain name prefix is used on both sides of the @ symbol. So, if you see an incoming email with a sender listed as kefsomedomaindiz@somedomain.com it will match that rule. These particular spam messages are sent from a Botnet that has fallen silent for some reason; possibly due to large-scale disinfection (e.g: by the Microsoft Malicious Software Removal Tool), or takedowns of command and control servers used by that Botnet (see takedown of McColo).
I am seeing a greatly reduced amount of spam, possibly due to me being white-listed by spammers, trying to avoid my honeypots, or because of troubles spammers might be having controlling their Botnets. Nonetheless, the types of spam I am getting are most likely the same types you are getting, just in a different quantity. The classifications can help you adjust your email filters according to what is most common, on a weekly basis. Much of the spam this week was for the fake "Canadian Pharmacy" and Nigerian 419 advance fee fraud and money laundering scams. Other classifications, like Blocked Countries, usually include counterfeit drug promotions, sometimes in embedded images, or in vertical text and html tricks.
MailWasher Pro spam category breakdown for April 20 - 26, 2009. Spam amounted to 7% of my incoming email this week. This represents a 1% decrease from last week.
Phony Bounce messages (Joe-Jobs): | 18.18% |
---|---|
Blocked Countries, RIPE, LACNIC, APNIC: | 18.18% |
Fake "Canadian Pharmacy" spam (fake Viagra, Cialis, etc): | 9.09% |
Nigerian 419 Scams: | 9.09% |
Known Spam Domains (.cn, .ru, .br, etc): | 9.09% |
Male Enhancement Patches, etc: | 9.09% |
Casino Spam: | 9.09% |
Hidden ISO or ASCII Subject spam: | 9.09% |
Re: or Fwd: Subject spam: | 9.09% |
If you are reading this and wondering what you can do to reduce the sometimes huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as an incoming email screener for your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft/Windows Live Mail, Eudora, Mozilla and other stand-alone email programs).
To protect your computer from malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security.
All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.
All spam is now sent from compromised home or business PCs, zombies in various Botnets, all of which are controlled by career criminals, many of whom live in Eastern Europe, in the former Soviet Union. If you purchase anything advertised in spam messages, you have given your credit or debit card information to the criminals behind that enterprise. If you are really lucky you will only be charged for the fake items you purchased, but, if not, you might find your credit limit used up, or your bank account emptied (for debit card transactions).
If you are foolish enough to purchase spamvertised pharmaceuticals you may be placing your health in danger. The pharmacies producing these drugs are in China and other Asian countries, including India. Their pills are not approved for use in the US or Canada, where they are targeted. All claims to the contrary are false. Canadian Pharmacy is fake. It does not exist in Canada, nor is it licensed there! It is a scam website, hosted on zombie computers in Botnets. The drugs they push are Asian made counterfeits and could cause you harm.
Also, unsubscribing through links in botnet-sent spam messages is futile, as you never opted-in, in the first place; your email address was captured by an email harvester on an infected computer belonging to somebody you corresponded with. Instead of receiving less spam as one might expect (by unsubscribing), all it does is confirm that your email address is active and you will see even more spam than before.
Another common way your email address may get harvested by spammers is if it appears in a large C.C. (Carbon Copy) list on a computer that gets Botnetted. Many people engage in forwarding messages among all their friends. Each time they forward chain letters their address gets added to the growing list of recipients (called Carbon Copy, or CC). If just one recipient of that message has an email harvesting malware infection, all of the email addresses listed in that message will be sent home to the spammer behind that spam run.
Smart folks who want to forward or send a message to multiple recipients use B.C.C. instead of C.C. Using B.C.C. hides all of the recipients from displaying. The To field will just show "Undisclosed Recipients" in a message sent using B.C.C. This is safest for you and your friends or mailing list. All email clients have a means of displaying a B.C.C. field.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.