The Spam Cryer » Tips & Tricks

URL Shortening Services Used in SPAM

Shaun — Wed, 04 Aug 2010 14:54:16 +0000

Symantec reports increased use of URL shortening services in SPAM – CudaMail customers already protected by the Barracuda “Multi-level Intent Analysis”.

Spammers know that if they include a direct link to their site that their spam messages will not go through so they use URL shortening services to redirect you to their site if you click on the link in the spam message.

Multi-level Intent Analysis checks if the URL in the e-mail message redirects to a spammer website so the URL shortened version of the spam is blocked as efficiently as if the spam link was directly in the message.

- Shaun

Some Information from Barracuda Networks

Hiding Behind the “Good Guy”

By registering new domains or by redirecting to spam Web domains through reputable blogs, free Web site providers, or URL redirection services, spammers have also learned to hide their identity from traditional reputation checks that profile spam Web domains.

Illustrations D and E below show two separate spamming campaigns that were recently detected by Barracuda Central in which the spammers attempt to hide their identity by using URLs referencing reputable Web domains, Geocities and Blogspot. Often these URLs contain either redirections or simple Web links to known spammer Web sites.

Illustration D: Geocities redirect to sexdatesearch.com – known spammer

Illustration E: Blogspot redirect to known spammer IP (211.93.46.38)

Despite these attempts to hide behind a “good” identity, the Barracuda Spam & Virus Firewall profiled this campaign behavior of placing redirections or Web links to known spam
sites behind popular Web providers. The Barracuda Spam & Virus Firewall was able to block these messages through Multi-level Intent Analysis by following the embedded URLs as a Web browser would and inspecting the resulting contents.

Sample Behaviors and Countermeasures

When spammers obfuscate their identities, the Barracuda Spam & Virus Firewall can use Predictive Sender Profiling to identify behaviors of all senders and apply the applicable Barracuda Spam & Virus Firewall defense tactic.

Sample behaviors

Countermeasures

Sending too many emails from a single network address.

Automated spam software can be used to send large amounts of email from a single email server.

Rate Control.

To protect the email infrastructure from these flood-based attacks, the Barracuda Spam & Virus Firewall counts the number of incoming connections from a particular IP address and throttles the connections once a particular threshold is exceeded.

Attempting to send to too many invalid recipients.

Many spammers attack email infrastructures by harvesting email addresses.

Recipient Verification.

The Barracuda Spam Firewall automatically rejects SMTP connection attempts from email senders that attempt to send to too many invalid recipients, a behavior indicative of directory harvest or dictionary attacks.

Registering new domains for spam campaigns.

Because registering new domain names is fast and inexpensive, many spammers switch domain names used in a campaign.

Real-time Intent Analysis.

Used for new domain names that may come into use, real-time intent analysis involves performing DNS lookups and comparing DNS configuration of new domains against the DNS configurations of known spammer domains.

Using free Internet services to redirect to known spam domains.

Use of free Web sites to redirect to known spammer Web sites is a growing practice used by spammers to hide or obfuscate their identity from mail scanning techniques such as Intent Analysis.

Multilevel Intent Analysis.

Multilevel intent analysis involves inspecting the results of Web queries to URLs of well-known free Web sites for redirections to known spammer sites.

Swine Flu Phishing Attacks and Email Scams

Shaun — Mon, 27 Apr 2009 21:37:22 +0000

US-CERT is aware of public reports of email scams circulating related to the Swine Flu. The attacks arrive via an unsolicited email message typically containing a subject line related to the Swine Flu. These email messages may contain a link or an attachment. If users click on this link or open the attachment, they may be directed to a phishing website or exposed to malicious code.

US-CERT encourages users to take the following measures to protect themselves:

Do not follow unsolicited web links or attachments in email messages.
Maintain up-to-date antivirus software.
Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.

Maintaining up-to-date anti-virus is vital. Some appliances, like the Barracuda Spam & Virus Firewalls that are used by CudaMail.com to filter mail are updated on a constant basis.

US-CERT will provide additional details as they become available.

Relevant Url(s):

http://www.us-cert.gov/cas/tips/ST04-014.html

http://www.avertlabs.com/research/blog/index.php/2009/04/27/swine-flue-spam/

http://www.us-cert.gov/reading_room/emailscams_0905.pdf

MS09-002 exploit in the wild

Shaun — Thu, 19 Feb 2009 18:57:51 +0000

The Internet Storm Center is reporting that several AV vendors have confirmed that the recently patched IE 7 vulnerability (MS-09-002 Uninitialized Memory Corruption) has been reverse engineered by the malware writers (so quickly!) and that we can expect them to be trying to infect your PC’s and get you to join in their zombie army any time now.

What does this have to do with spam? Spam is one way that they try to infect your PC so be on the lookout for simple, hard to block e-mail’s with a catchy subject line and a simple link to a website.

The CudaMail System has been seeing and blocking a rise in emails with simple links to malware sites, and even the occasional iframe. They’re definitely trying various ways to sneak malicious links into your inbox.

It bears repeating that if you don’t know where the e-mail came from or if you weren’t expecting it and can’t confirm that the supposed sender really sent it to you be very careful opening the website or better yet don’t open it at all.

MS09-002 exploit in the wild (via Sans)
http://isc.sans.org/diary.html?storyid=5884

- Shaun

Reduce Your Spam with a Disposable E-mail Address

Shaun — Fri, 28 Nov 2008 23:41:28 +0000

Some sites that you go to want you to register and provide a valid e-mail address to send you your password or a signup verification link.

This is a great idea to ensure that the services is not being overrun by bots but it does open up the possibility that this site has been setup to gather valid e-mail addresses for the express purpose of spamming you in the future because they can then sell your e-mail address to an ‘affiliate’ who then send you the ‘latest thing’ you may or may not be interested in.

One thing you can do is use a service like McAfee SiteAdvisor “http://www.siteadvisor.com/

This free service installs as a browser plug-in that adds a little icon to your search results. McAfee has signed up on lots of sites and then keeps track of how much spam each site sends. You have to be careful though as the icon does not show up if someone sends you a link in e-mail or you find it on another site. You have to do a specific search for that site to get McAfee’s results and recommendations.

If you’re an e-mail administrator you can setup aliases for your account that are site specific and use them when you sign up so that if that unique address is spammed you can block it and know which site it was that sold your e-mail address. What if you’re like most people and are not the mail server administrator?

What can a regular Joe do?

While we have already talked about using multiple e-mail accounts to keep things separate there is another way: Use a disposable or temporary e-mail address.

Here are some services that allow you to create a temporary forwarding e-mail address and some even let you set how long you want the address to exist, 1 hour to 1 year is possible.

This is not an endorsement of any particular service – just some examples.

Keep a list of a few handy because some sites know about this idea and may not let you sign up if you use an e-mail address from one of these temporary e-mail services.

That said how do you know that these forwarding sites are also not setup for the express purpose of harvesting your real email address? You do have to provide your real e-mail address to these services so they can send you anything sent to your temporary e-mail address. Some sites don’t require a e-mail address to forward to but instead you use a webmail interface. This is ok as long as you don’t want to continue getting e-mail from this company as you have to remember to log into the webmail interface on a regular basis.

You can also use a single GMail account and filter emails. For example, memyselfandI@gmail.com Then add a +[site] after the account and create a label. Those emails will sorted by that site label.

memyselfandI +Site1@gmail.com
memyselfandI +Site2@gmail.com

You get the idea.

That said, you may not want to use a disposable address for anything important like a product registration or a mailing list that you want to subscribe to because the company may want to e-mail you about an important product recall and if your temporary e-mail address has expired by that time they may not be able to send you this important information.

For mailing lists you want to use a permanent e-mail address as the mailing list admin will get an email every single time somebody posts in it and it bounces off of your expired temporary address. You may want to use the segregated e-mail idea in that case.

These idea’s won’t reduce your spam to zero but will help in the battle.

Shaun