Anyone remember Elizabeth Thomas?

If there's any ex-Pinewoodians reading this, you may remember ET. Who could forget? And you may wish to check out her (newish) weblog. After all, it's got more recent content on it than this dusty pile.

mea culpa, mea culpa, mea maxima culpa

Sorry for the blatent lack of posting recently.

I think I lost my blogging mojo. Hopefully temporary. Perhaps I might try posting about random stuff for a bit, to see if it comes back.

Are you game for that?

Hilariously Bad 419 Scam Come-On

Hilariously bad 419 just hit inbox. Must. Stop. Laughing. And. Blog. It...

Minneapolis Telephone Network (MTN)
Foundation's Officer
125 Allen Avenue,
Lagos-Island
Nigeria.

Concern:Winner,
The Minneapolis Telephone Network (MTN),
would like to notify you that you have been
chosen by the board of trustees as one of the
final of a cash Grant/Donation for your own
personal, educational, and business
development.The Minneapolis Telephone
Network (MTN) was established by the Multi-
Million groups in 1993 was conceived with the
objective of human growth, educational, and
community development.To celebrate the 15th
anniversary program, the Minneapolis
Telephone Network in conjunction with the
Economic Community for West African States
(ECOWAS), United Nations Organization (UNO)
and the European Union (EU) is giving out a
yearly donation of Euro??3,500,000.00 (Three
Million ,Five Hundred Thousand Euro) and an
Auto-Mobile (Peugort 207 Car) each to 20 lucky
recipients for their patronage to this
organisation and continues growth.This
Donation/Grants is in view to mark it 15th years
of Best Telephone Network all over African and
some parts of the world.At least 20% of the
awarded funds should be used by you to
develop a part of your environment.Based on
the random selection exercise of internet
websites and millions of supermarket cash
invoices worldwide, you were selected among
the lucky recipients to receive the award sum of
Euro??3,500,000.00 (Three Million ,Five Hundred
Thousand Euro) and an Auto-Mobile (Peugort
207 Car) as charity donations/aid from the MTN
Group Limited (MTN Group), ECOWAS, EU and
the UNO in accordance with the enabling act of
Parliament. Your Qualification/Reference
numbers (M-323-T-6747, N-900-56) should be
quoated by winners in all discussions. You are
required to choose your delivery option which
will be convient for you in the order below:

1. Diplomatic Courier Service,Delivery To Your
Home Address.

2. Telegrahic Wire-Transfer,To Your
International Bank.

You are required to contact the promotion
agent in the below order.
Executive Secretary- Mr Raymond Chua Swee
Email:info@raymonchua-swee.1to1.org
All information is strictly confidential.
Mrs Gucci Villary
Minneapolis Telephone Network (MTN)
Foundation's Officer

ROTFLMAO

IPv4 Inaction: Danger, Danger, Will Robinson!

Gary Feldman of the UK's Demon Internet performs for the secret-wg in the closing plenary at RIPE 55 in Amsterdam, October 2007.

Hilarious. I guess it's time to stop stalling on that IPv6 rollout. Click the Play button below...


(In case it doesn't work, here's the direct YouTube link.)

Anyone know the name of Gary's erstwhile microphone stand?

Hat tip: Paul Hoffman.

Gmail, How do I Love Thee? Let me Count the Ways...

Here's a quick Gmail goodness grab-bag top-10...

1. Spam filtering. It just works. I estimate it kills more than 99% of my spam, and the only occasional false positives I get are from Yahoo Groups (which is a spam cesspit anyway) and mailing lists that include spam samples (uhhh...)
   
   
2. IMAP access. Yay, we've been asking and asking and asking for it, but it finally arrived yesterday.
   
   
3. Local front-end servers. Recently, Google moved the POP/IMAP/SMTP servers I connect to. They're not now in the U.S., but much closer to me (in the UK?). Some sort of routing cleverness, I dare say. This means downloading a load of messages is now very, very fast.
   
   
4. Search and Filters. Fast, flexible, frequently-very-useful. Especially when combined with the saved search extension for Firefox (using Greasemonkey or the Better Gmail extension).
   
   
5. Labels. I know some people hate 'em, to which I say, "Just think of them as folders." But they're so much better than folders, mainly 'cos you can "file" a message in more than one of them.
   
   
6. Fetchmail. Integrated, as way of grabbing your email from other accounts, using POP. Saves auto-forwarding, which is increasingly broken.
   
   
7. AJAX. Not as ground-breaking as OWA, not as flashy as Oddpost/Yahoo/SWA, not as mashable as Zimbra, but fast and usable all the same.
   
   
8. Keyboard shortcuts. A big productivity saver. I hate to move my hands off the keyboard to find my mouse -- that's a key reason why I don't "do" Mac OS.
   
   
9. Google Apps. A white label version of Gmail is included in Google's hosted applications service.
   
   
10. Free. Yes, as a confirmed cheapskate, this is a good thing. Even Google Apps is free for up to 50 mailboxes. No more do vanity domain owners have to suffer the slings and arrows of outrageous email forwarders.
    

Email Sender Reputation at all, David?

David Berlind sounds like he's sick of talking to hyperbole-fuelled anti-spam vendors. Can't say I blame him.

It is probably true that if everyone in the world ran just one solution, we’d be able to tweak that solution in such a way that we’d finally get a handle on the inbound and outbound problems associated with spam. When everyone has access to the same technology, there’s a name for that. It’s called a standard. There is zero chance of some proprietary solution becoming the defacto antispam solution for the world. But, if only AOL, Google, Microsoft, and Yahoo (the world’s leading e-mail solution/service providers) would get together and decide on what the non-proprietary standards should be and implement them in their systems, it wouldn’t be long before every other e-mail solution provider would have to follow suit (in order for their e-mails to interoperate).

Well, the thing is, in many ways, AOL, Google and Yahoo are doing what he asks (and even Microsoft is making encouraging noises).

The "standard" the industry's heading towards is "true" sender reputation (i.e., not the DNS-IP-blacklists-on-drugs that we have today). Being able to store and share opinions about the "goodness" of an individual sender and/or sender domain would be incredibly useful, but we're not there yet -- mainly because email is to easy to forge. This is where sender authentication comes in.

So the necessary precursor to sender reputaion is to get everyone using DKIM, so we have a strong method of sender authentication (not just the relatively weak-but-easy SPF/SenderID) -- this is where the big three mentioned above is right now (and as I said, Microsoft is making encouraging noises, despite its wedded bliss with SenderID).

For more, see:

• CNET's Error Explaining DKIM
• Locally-Maintained Reputation

Phishing via Instant Messaging

I just got an IM from a buddy. He told me to go to www(dot)geocities(dot)com(slash)picc_81(slash)index.htm

This appeared to be a Yahoo 360 login page. "Odd," I thought, "Why do I need to login to see a Geocities page? And anyway, aren't I already logged into Yahoo?"

Let's view the source. Oh. It sends the login credentials to a script on www2.fiberbit.net -- looks like it emails them to ggeocitiees@gmail.com

Nice job, phish boy.

I've reported it to PIRT, the Gmail guys, and the Google Safe Browsing folks.

Now to contact my buddy and give him the bad news.

Is Spam Blocking at Odds with Common Carrier Status?

ISPs in many countries, including the U.S. enjoy a legal status often known as "Common Carrier." Simply put, this absolves the ISP of responsibility if it assists in the transfer of illegal materials, such as copyrighted works or child pornography. The philosophy is that as long as the ISP simply moves data from one place to another -- not making any judgment or discrimination about whether to move one type of data or another -- the ISP should enjoy a "safe harbour."

From time to time, some wag gets the idea that email filtering of spam and viruses would cause ISPs to lose this legal protection. In other words, if an ISP chooses not to deliver a message because it's "spam," the ISP is discriminating based on the content or source, which may remove the safe harbour. When one thinks about it, this is complete nonsense, but stranger things have happened in various legal systems around the world.

This debate is happening again. Thanks to the good work done by MAAWG and others, ISPs are being encouraged to set up outbound spam filtering, to prevent zombified PCs sending spam from their networks, and to encourage users to clean their infected machines with walled gardens. Naturally, some are expressing concern that such discrimination would count as another chink in their common carrier armour.

It's time for the FCC and similar regulators in other countries to step up and make it clear that such genuinely useful -- some would say essential -- discrimination would not affect an ISP's common carrier status.

BTW, sorry for the long hiatus. Call it Blogger's Block. Thanks to Kevin Soo Hoo for helping break it.

Inadvertent Spamming: a Cautionary Tale

I learned today of a well-known software vendor whose business has suffered as a result of poor list management practices. It's not the first, and probably won't be the last. This sorry tale only goes to illustrate the importance of avoiding becoming an inadvertent spammer.

It appears that, although it had been legitimately sending mailings to its customers, the vendor had been ignoring unsubscribe requests. As I've said before, any unwanted bulk email sent by an organization after an appropriate unsubscribe request is spam -- an organization that fails to act on unsubscribe requests in this way is a spammer.

As a result of its failure to honour unsubscribe requests, complaints about the spam began to accumulate at the feet of the various organizations that track spammers' activity. Crucially, these include sender reputation services, such as DNSBLs (also known as IP blacklists). Inevitably, despite the fact that the majority of email it sent was legitimate, the vendor gained a negative reputation as a spammer.

This caused some recipients of its email to reject or otherwise filter these legitimate messages. Not only were legitimate direct marketing messages filtered, but also messages containing customers' license keys, technical support replies, etc.

This is indeed a cautionary tale: the lesson for senders is that the unsubscribe process is truly a mission-critical part of your direct marketing or transactional email workflow. Failure to ensure its integrity can not only cause legal problems, but damage your customer relationships and your business.

This Weblog, "Never fails to entertain and inform..."

"...particularly if you're interested in spam, malware and the like"

Blush.

Well, we like Angela Gunn's Tech_Space too. Proof, if proof were needed, that USA Today isn't just for getting slid under the hotel door first thing in the morning.

Hat tip: Joyce Carpenter for finding the Weird Converter in the first place.

Kate Bush on The Kenny Everett Video Show

It's 1979 all over again. Simple times...


[Hat tip: k8_fan]

It's hard to believe Kenny's been gone for over 12 years.

Spam Causing Email Exodus?

I was asked an interesting question earlier this week. Paraphrased:

With the sheer number of people using semi-proprietary closed systems such as Facebook or Myspace for their personal and business communication, might they be serious contenders for a real spam solution?

Some time ago, I wrote about the, "People are stopping using email" meme. I said then that it's not so much that people are turning their backs on email as a medium, but that they have a wider choice of media available to them now -- such as IM, SMS, and social network websites. They're just more likely to choose the medium best suited to the task. Nothing's changed my mind since then.

Having said that, feel free to poke me, follow me, LinkIn, or whatever.

To paraphrase Meng Weng Wong's recent curry-inspired trendmap, all such media attract spammers if they become sufficiently popular. Lest we forget, spam was first a big problem on USENET -- email came later.

Radicati Group's website defaced

Oh dear.

Looks like radicati.com got defaced. Or at least that somebody injected a meta redirection tag.

Ooopsy.

IT Blogwatch roundup

As you may know, every day I write the IT Blogwatch column for Computerworld. The idea is to take an IT/tech news story from the past couple of days, and tell the world what bloggers are saying about it.

The column recently won an American Society of Business Press Editors award. Hurrah.

For your delectation, here's a quick roundup of last week's efforts...

Fri 10th: Untangle untangles AV testing mysteries (and ant joke)

Fancy seeing you here. It's Friday's IT Blogwatch: in which we find an interesting test of anti-virus engines at LinuxWorld. And did you hear the one about the ladybug and the ant?..

Thu 9th: Go green: climate change changing data centers (and !bug)

It's an inconvenient Thursday's IT Blogwatch: in which we examine power-saving data centers. Not to mention the classic QA joke, reinterpreted as visual pun...

Wed 8th: New iMacs, iWork, iLife, iEtc. (and pukelight)

Boom! It's Wednesday's IT Blogwatch: in which Steve Jobs unveils a load of new Mac stuff. Not to mention the LED flashlight that makes its victims vomit...

Tues 7th: Linux StinkPads ahoy! (and compendium vol 10)

Strike a light, Mary Poppins, it's only Tuesday's IT Blogwatch: in which ThinkPads are to officially run Linux. Not to mention something for everyone in today's "And Finally"...

Mon 6th: Dateline Las Vegas: hackers whack a mole hack (and outed-FSJ)
Monday's IT Blogwatch: in which an undercover NBC reporter gets busted at DEFCON 15. Not to mention Fake Steve Jobs revealed...

C/R and "Spam Index" Conversation Roundup

I wanted to pull together some of the conversations that have been flying around recently about challenge/response spam filtering and this "spam index" idea. As is often the case, quite a bit of the value is in the conversation, in addition to the original posts, hence this roundup...

Anonymous:

As the holder of a domain name frequently forged into the From: or Reply-To: fields of spam, I can testify for certain that it doesn't work. In fact, whenever I receive a challenge to one of those forged addresses, I make sure to reply to it to make sure the spam gets through. Petty, perhaps, but I'm not being paid to filter C/R users' spam, so I'll pass it through.

Dean Harding:

I'll admit I was a bit suspicious that if challenge/response was such a panacea why were there not more people using it? My point was not that people should start using challenge/response, though, it was more to just point out that many people are still not happy with their spam filtering.

Len Dressler:

[Richi,] you're really kind of a dork ... It appears you have some sort of agenda of your own, fairly skewed towards blacklist and the like, which from an IT managers perspective, is a joke.

Richi:

Len, you're entitled to your opinion, and I will defend your right to express it to the best of my ability. Fact is, state of the art spam filters catch 95-99% of spam, with a vanishingly-small false positive rate. Such spam filters use a combination of techniques ... I see no evidence that a single approach—such as IP blacklisting—is viable.

Anonymous:

I was interested in learning of Peter's methodology ... I attempted to register on his web site in order to download a copy of his report. I'm still waiting for a response, who knows maybe his acceptance e-mail was justifiably intercepted by my spam filter.

Sandman:

If its my inbox, it is a communication tool for me, and I own the right to ask people to verify they are who they say they are.

Don Marti:

I see lots of “I just started using C-R, it’s great” posts, but no “I’ve been using C-R for years and it’s great” posts. C-R is something that you try and give up on. Or, in my case, watch other people try and give up on.

Anonymous:

Effective spam control is possible. It doesn't require cumbersome and work-flow disruptive band-aid solutions like C/R ... What's needed and has been proven to be most effective is a human feedback component. Several of the best anti-spam products available today include this as part of their toolset.

This is not to say that you need a solution where YOU have to be the human in the loop. The best vendors in the space do that for you and push new rules out to their customers every 10 mins or so.

Devil's Advocate:

Asking various people "how happy" they are with their present anti-spam product has absolutely no bearing on the effectiveness of those products ... if you ask if a C/R user sees less spam, you're going to get a "yes". But, what if you ask all the innocent 3rd parties that receive the challenges (which the C/R user doesn't see)? ... All C/R succeeds in doing is displacing the original spam volume in favour of its own variety of spam ... [and] shows a blatant disrepect for the health of the Internet.

Anonymous:

Nonsense - I am no expert, just a user, but every fact you make is wrong.

Richi:

In my spamtrap archive, I have several samples of inappropriate challenges from every C/R system known to me. Just in the past month, I've got challenge-spam from: [long list deleted]
...
Still don't believe that C/R systems send spam to innocent 3rd parties?

Peter Brockmann:

Your last post proves precisely the point. Users don't care and shouldn't have to care about what falls into YOUR inbox, only what falls into THEIRS.

Richi:

So users don't care that they're sending spam, as long as they don't get any?
...
Increasingly, the main issue with C/R isn't that it annoys innocent 3rd parties -- it's that the backscatter hits spamtraps, causing legitimate challenges to go undelivered. Hence, the false positive rate of C/R is actually surprisingly high.

Ask a C/R user about this though, and they'll often be blissfully unaware. It's hard to know when one is missing a legitimate unsolicited message from someone you don't know.

David Merrill:

For recipients, challenge-response and sender verification methods are good, but their use can get your domain blacklisted. Why? Because each incoming message, spam or not, generates an outgoing message, and spammers can (and do) use those in denial-of-service attacks.

Justin Mason:

Focussing the debate on the “user’s inbox” ignores the overall picture, including everyone else’s mailbox, which is where C/R fails.

But my favourite comment has to be from Al Iverson, on the membership-only list, SPAM-L (Al kindly gave me his permission to be quoted here):

C/R is trapped in this eternal September of newbie solution developers who think they're the bee's knees because they figured out how to implement a "new" version of C/R (which is usually exactly the same as every other one). Then they act like a kicked puppy when we don't jump for joy over how awesome it is to see...yet another implementation of C/R.

Eternal September of newbie solution developers? Priceless!

Last week's IT Blogwatch roundup

As you may know, every day I write the IT Blogwatch column for Computerworld. The idea is to take an IT/tech news story from the past couple of days, and tell the world what bloggers are saying about it.

The column has just won an American Society of Business Press Editors award. Hurrah.

For your delectation, here's a quick roundup of last week's efforts...

Who wants a free Google phone? (and comic() {comic();})

Can you hear me now? It's Friday's IT Blogwatch: in which the oft-rumored Google phone gets closer, perhaps. Not to mention a recursive comic-strip...

Something wireless in the AAir (and LOLpresidents)

I'm your humble blogwatcher, fly me. It's Thursday's IT Blogwatch: in which American Airlines and others test in-flight Wi-Fi. Not to mention some hilarious politician macros...

Microsoft's OSI open-source offer (and Nasha... hic!)

Rabbits, white rabbits on Wednesday's IT Blogwatch: in which Microsoft "embraces" open source licensing. Not to mention how NASA discovered those naughty drunken astronauts...

Grub-by open source searching (and weirdest mating ritual)

It's Ruby Tuesday's IT Blogwatch: in which Wikia buys Grub, in Jimmy Wales' bid to take over the world's knowledge. Not to mention the courtship dance of the waved albatross...

And so the iPhone class-action action begins (and recut trailers)

Yes, iT's Monday's iT Blogwatch: iN which we learn of an iPhone class-action lawsuit. Not to mention some more recut classic movie trailers...

Who is Peter Brockmann?

So, according to one Peter Brockmann, challenge/response (C/R) spam filtering is a wonderful thing, and beats all other anti-spam techniques into a cocked hat.

Huh? What? How did he come to that conclusion?

I've beaten the "C/R filters are a terrible idea" meme to death, as have many others, so I'm not going to repeat all that here. If you're new to the arguments, take a stroll through these posts (perhaps you should work from the bottom up).

But I was about to write about Peter's methodology. However, it would have been an identical post to the one Justin Mason wrote -- he beat me to the punch. So here are Justin's money quotes:

The “Spam Index” is a proprietary measurement of spam filtering, created by Brockmann and Company. A lower “Spam Index” score is better, apparently, so C/R wins!
...
However — there’s a fundamental flaw with that “Spam Index” measurement, though; it’s designed to make C/R look good ... The “Spam Index” therefore considers a false negative as about as important as a false positive. However, in real terms, if a user’s legit mail is lost by a spam filter, that’s a much bigger failure than letting some more spam through. When measuring filters, you have to consider false positives as much more serious!
...
[And] the situations where C/R fails are ignored. Is it any wonder C/R wins when the criteria are skewed to make that happen?

I too took a close look at his methodology. It is really, really, horribly biased in favour of C/R. Unbelievably so. By orders of magnitude, arguably.

The idea is that one can come up with a neat "score" for the performance of a spam filter -- of course, the exact composition and weighting of such a score can sway the results in any direction one chooses.

Statistics aside, asking C/R users if they're happy isn't the be-all and end-all of anti-spam research. C/R users may indeed be happy -- happily unaware that their spam filter is sending spam by replying to innocent third parties who's addresses have been forged by spammers.

(As an aside, I note with amusement that Peter mis-categorizes Commtouch and IronPort as DNSBLs -- which he calls "RBLs", so perhaps Trend Micro should whine at him about trademark infringement.)

So what's going on here? I first came across Peter earlier this month, when I noticed some rather odd edits to the Wikipedia page about Challenge-response spam filtering made by one Pjbrockmann. The edits did rather deviate from Wikipedia's prized "neutral point of view" (NPOV). I also noticed a sneaky link back to his site from the page: naughty-naughty (as a great philosopher once said).

So, let's check out brockmann.com. The About page says, "Brockmann is a Wikipedia contributor." Well, golly, so he is. (Perhaps I should add that to my puff piece too.) His Wikipedia contributions extend to being dinged twice in April and June for spam and non-NPOV (the more recent issue noted above would make it three). Not so great.

Justin alleges that Peter has a relationship with Sendio. I don't know about that, but I do see he also mentions SpamArrest as an example of C/R. But does this (presumed) relationship stop him being objective? As Steve Hunt says, it, "Depends on what you mean by objective":

We are all mere mortals, and my own personal preferences will be very clear in the posts. Actually, my personal preferences and biases pay the bills ... Does that make me less than objective? I don't think so, but use your own judgment ... I commonly won’t expose which vendors I’ve helped because – frankly – it’s none of your business. It doesn’t change my ability to speak frankly and truthfully, and you might look at the list of companies and assume some bias that really doesn’t exist.

I like how Steve puts this, but I differ from Steve and Peter in that my personal preference is to maintain a list of clients in public (it's not a complete list, mainly for reasons of confidentiality -- e.g., when I've worked on expert witness contracts). So I guess you might look at that and, "Assume some bias that really doesn’t exist."

But, as an independent adviser/analyst/consultant, I also hope that you'll find that what I have to say is actually true.

Much Love to robtex.com

Oh this is pretty (also pretty useful):

If you click on the graphic above, Robtex will show you all sorts of useful information about your IP address (or any other you care to mention). The self-styled "swiss army knife internet tool" moniker is very apt.

I particularly love the graphical DNS graph if you type in a hostname. DNSBL aggregation is good too.

Better than DNSstuff. Recommended.

Hat tip: AntiSpamBloke (you know who you are).

Scalix bought by Xandros

My spies tell me there's big changes afoot in San Mateo (and smaller changes in Reading).

Despite the strength of the underlying technology (HP OpenMail, yes I'm biased), Scalix didn't seem to be making its numbers. From the reports of "13 engineers and sales support staff" I imagine that a number of people got made redundant recently.

Xandros and Scalix have been working together for a while now, so I suppose this acquisition makes as much sense as any.

Presumably Scalix now can't get sued by Microsoft for violating Exchange patents? ;-)

Google Acquires Postini

Google announced that it has agreed to purchase Postini for $625 million in cash. Why?

Postini is best known for its managed ("hosted", "on-demand") spam filtering service, but that's not what attracted Google. Gmail and its Google Apps. cousin already have sound spam filtering technology -- they don't need help from Postini.

What Google needed was a way to round out its Google Apps. story with solutions for its customers' policy, compliance, and archiving/e-discovery needs. Google was already partnering with Postini to provide this for Google Apps. customers. Presumably the experience was a positive one and Google simply wanted to own the technology and people.

Google's statements hint that the lack of Google-owned technology in these areas has been a sales inhibitor:

Many businesses have been forced to choose between innovation on one hand, and these backoffice mandates on the other. In effect, many businesses use legacy systems not because they are the best for their users, but because they are able to support complex business rules. We agreed to acquire Postini in order to create a more complete Google Apps solution that addresses the information security and compliance issues facing businesses of all sizes.

Greetings Card Trojan Spam gets Timely Subject Morph

Looking at my spamtraps this evening, I see our "fake online greetings card" chums have switched from their previous boring subject lines to new ones, commemorating U.S. Independence Day.

The new subjects include:

4th Of July Celebration
America the Beautiful
America's 231st Birthday
Americas B-Day
Celebrate Your Independence
Dump tea in the harbor
Fourth of July Party
God Bless America
Happy 4th of July
Happy Birthday America
Happy Fourth of July
Independence Day At The Park
Independence Day Party
July 4th B-B-Q Party
July 4th Family Day
July 4th Fireworks Show
Your Nations Birthday [sic]

Update: my chums at Symantec calculate that they blocked 5.5 million of these during just five hours on July 3.

(In case you've been living under a rock, these messages include a link that tries to infect the victim with a Trojan.)

Srizbi Spam Bot is Nastier than we Thought

According to Symantec's Kaoru Hayashi, last month's Srizbi Trojan is nastier than it at first appeared. It could be a peek at things to come in the world of spam-sending bots.

Naturally, as a malware geek, Hayashi doesn't call it "nasty" -- he says "really interesting":

Trojan.Srizbi is really interesting for some unique features. Trojan.Srizbi driver (windbg48.sys) has two main functions: hides itself using a Rootkit and sends spam, but the thing that makes it really unique is the fact that its probably the first full-kernel malware spotted in the wild.

Once the Trojan is installed, it works without any user mode payload and does everything from kernel-mode, including sending spam ... The most interesting code is contained in the spam routine. We know that using network functionalities directly from kernel-mode is much more complicated and we have seen many rootkit threats in the past - for example, Haxdoor, Rustock, and Peacomm - always carrying over a user-mode payload that gets injected into some Windows processes. Trojan.Srizbi seems to move a step forward by working totally in kernel-mode without the need to inject anything into user-mode.
...
We think this sample is still in a “beta” stage and it’s not finished yet.

The implication being that, if a future version of Srizbi fixes the problems that currently make it visible, detection gets a lot harder. Needless to say, that may well cause more spam to get sent before an infection could be detected and remediated.

I especially liked this bit:

[It] seems to include a special routine to uninstall competitor rootkits, such as “wincom32.sys” and “ntio256.sys”.

Classy.

The DHS is a Wonderful Organization

So I hear the U.S. Department of Homeland security has been having one or two problems with its computer security:

A subcommittee of the Committee on Homeland Security ... expressed "shock and disappointment" that the DHS had reported as many as 844 security incidents in fiscal years 2005 and 2006. The incidents occurred on IT networks at DHS headquarters, and those belonging to Immigration and Customs Enforcement, Customs and Border Protection (CBP) and the Federal Emergency Management Agency.

The security issues ... included one in which a password dumping utility was found on two DHS servers. In addition, Trojans and other malicious programs were found on numerous agency servers, and classified mail was found to have been sent out over insecure networks.

Trojans? Unencrypted sensitive email? Oh, big fat hairy deal. C'mon, this is nothing that you couldn't find in most organizations of that size. It's hardly DHS's fault.

Give them a break. In fact, give them all a big pay rise -- especially those nice officers who work the immigration and customs desks at America's fine airports (and the ones who sit in Canada, too). I do like them a lot, and look forward to my time chatting with them every time I visit the U.S.

They are all, without exception, wonderful people, and anyone who says otherwise is probably some sort of terrorist.

A (Partial) Spammer Taxonomy

I was recently asked by a journalist, "So who are these spammers, anyway?"

There are many different types of spammer. Here are some examples:

• Affiliates of vendors of products that can cause embarrassment (e.g. pills and porno). Such spammers get paid by commission on sales. Some of the products may be genuine; many are fake or of dubious quality. See Why You Shouldn't Buy from Spammers
  
• Criminal gangs intent on driving up the price of a stock. They will have bought the shares before sending the spam and then sell their shares when the price rises. This is known as "stock kiting" or a "pump and dump scam." See Pump'n'dump: it's all About the Timing, Baby
  
• Advance-fee fraudsters. They write pretending to have access to a large amount of money and need your help to transfer it to another country. They offer a percentage of the money for your help. Often originates in Nigeria. Also known as a "419 scam." See Evidence of 419 Scam Targeting Using Google
• Companies that don't respect unsubscribe requests. See ZD are Spammers!
  
• Companies that, after you sign up for newsletter "A" also send you information about topic "B." This is known as "List repurposing." See Techweb Spams me; Am I Impatient?
  
• Legitimate companies who have bought lists of email addresses in good faith from liars. They are told that the names on the list are willing to receive unsolicited email, but actually the list is just names harvested from Web pages or stolen from address books. Such companies should perform better due diligence, but often don't.

See you at Inbox/Outbox this Week?

I'll be keynoting again and sitting on the Spamhaus panel. I'm also running an extra session about sender authentication (i.e., SPF and DKIM).

Everything's repeated both days, except the panel, which is only on Tuesday.

If you can't find me, text me on +447789200701 (assuming you want to ;-)

Weird Story in Computerworld

Greetings from Vegas.

My chums at Computerworld have put up a very oddly-written story today. It seems that Kingfisher Bay, an Australian resort, was using an "aging" version of Symantec's spam filter. Surprise-surprise, old versions of spam filters don't work very well, letting through a lot of spam.

In fact, it turns out that the resort wasn't using the Symantec Brightmail technology at all. It was still using the old, pre-Brightmail engine. Oddly, Symantec still sells this -- can't see why that's a good idea.

Anyway, it sounds to me like the company decided it wanted to use a managed service, rather than an in-house solution. Many smaller organizations are making this choice. Their obvious targets are MessageLabs, Postini, Microsoft (née FrontBridge), or a bunch of smaller/regional providers.

In the end, they chose MessageLabs. Naturally, MessageLabs is crowing to the press about how it's gained a customer from Symantec.

But hang on, doesn't MessageLabs use Symantec Brightmail anti-spam for its service? How ironic...

Greetings from Orlando

Greetings from Tech-Ed, where some enterprising soul pointed a cam at the keynote's opening skit.



Bob [Muglia], meet Bob!

See You at Microsoft's Tech-Ed or Symantec's Vision?

This week, I shaaall mostly be in Orlando, for Microsoft's Tech-Ed bash.

Next week: Vegas (baby) for Symantec's Vision.

Email or text me (+447789200701) for meetup coordinates.

Zulfikar Ramzan is Correct About Phishing

Zully is right on in his demolition of Mikko Hypponen's idea for a ".bank" TLD.

Writing on Symantec's Security Response weblog, he basically urinates all over Mikko's plan (although he's a lot more diplomatic than that). Some choice cuts:

Phishers don’t have to use the .bank extension and most users will fail to notice ... if you look at almost every phishing site these days, the URL itself is a blatant giveaway that you’re not at an authentic site
...
The proposal will also lull users into a false sense of security for a number of reasons ... The bad guys may still be able to get .bank domains ... won’t stop phishing attacks that exploit cross-site scripting vulnerabilities ... Browsers are sometimes susceptible to address-bar overlay vulnerabilities. [read more]

Or, to put it another way, the problem with this proposal is that roughly half the population have below-average intelligence (hat tip: APHC).

Sure, it's easy to be a critic, but such ideas just waste energy that could be ploughed into useful furrows, such as DKIM and domain-level reputation.

See also: BofA Sitekey, Yahoo! Signin Seal, etc., etc.

Soloway Arrested

I guess it's OK to call Robert Soloway a spammer -- he's already been convicted in U.S. civil charges of spamming in 2003.

This time though, he's been arrested on criminal charges, brought by the FTC. The list of laws he's alleged to have broken is extensive:

• 10 counts of mail fraud
• 5 counts of wire fraud
• 5 counts of identity theft (aggravated)
• 13 counts of money laundering
• 2 counts of email fraud (the only counts related to the CAN-SPAM Act)

If convicted, the possible penalties add up to a very long time in jail. Aunty Beeb thinks 65 years, but that estimate might be on the high side...

Assuming that he didn't give up spamming in 2003, his arrest (so far without bail) should at the very least cause less spam to be sent (i.e. the spam that would have been sent by him while he's under arrest). If he gets jail time, so much the better.

So far, all the high profile civil spammer convictions have involved fines, with the exception of Jeremy Jaynes. These fines seem on the face of it to be large, but in comparison with the money earned by successful spammers, not so much.

While those convictions increased spammers' fear of getting caught, they also served to publicize the amounts that successful spammers can make -- it may have actually encouraged new spammers to enter the game. That's the law of unintended consequences in action.

This is how the law works. Laws encode a society's terms of acceptable behavior. The credible threat of punishment removes the incentive for bad actors to... well... act badly.

The various laws that prohibit spamming just got much more credible.

More: Seattle PI / TechMeme

Palm Foleo: What the UMPC Should Have Been

Lots o'chatter today about Palm's new toy. Sounds to me like what Microsoft's Origami/UMPC should have been: light, focussed, inexpensive, instant-on.

Most criticism boils down to, "It's not a full-featured Windows laptop." Well, duh!

Let's see: Ultra-light / Inexpensive / Full-featured -- Choose any two.

In many ways, it tries to solve the same problems as the Nokia 770/N800 line -- but in a more conventional form-factor (i.e., it has a keyboard). Hopefully Palm can encourage a lively developer community at least as strong as Maemo's.

Update: here's Palm's Jeff Hawkins showing off his new baby:

Yak 9B Almost Crashes at Airshow

Ouch. Egg meet face.

Here, for your delectation is the luckiest stunt pilot in the world.



Video hosted at break.com

Hat tip: Sulako.

Locally-Maintained Reputation

In response to yesterday's blog post, Cisco DE Jim Fenton* wrote:

reputation can be locally-maintained. Local reputation is not as powerful as shared reputation services, but does provide benefit in the short term.

Yes, that's right. Local domain reputation is often expressed in terms of whitelists and blacklists. Without sender authentication, these are notoriously unreliable.

It nicely illustrates one of the benefits of authentication.

For example, users of anti-spam filters sometimes find their colleagues' email in the quarantine, so they add a wildcard whitelist entry for their domain. They soon discover that a significant chunk of spam will have their domain forged into the sender address. Without sender authentication, there's not a lot can be done about this.

However, with sender authentication, you can have a whitelisted domain entry that only allows the message a free pass if the authentication passes -- otherwise the normal spam filtering rules apply.

You could even impose a local policy that says if a message "from" our domain fails authentication, we'll reject it as spam, but this is probably too risky, at least in the early stages of deployment.

* - well, they claimed to be "Jim Fenton" and I assume it's that Jim, but perhaps it was a dog

CNET's Error Explaining DKIM

Declan McCullagh, writing in CNET, makes the standard schoolboy error of assuming that email sender authentication technologies are "antispam techniques."

They're not.

DomainKeys Identified Mail (DKIM) and other sender authentication technologies are simply ways to detect forgeries. At best, they give a partial indication whether a message is spam or not, but their main use is to allow recipients to look up the reputation of the sending domain.

Detecting phishing attacks via sender authentication depends on legitimate senders, such as PayPal, publishing information in the DNS. An email that purports to come from paypal.com can then be verified against that published information.

Of course, this doesn’t stop phishers from using similar domains, such as verify-paypal.com. Many users won't notice the difference. A DKIM test will "pass" because the bad actors own the fraudulent domain.

In other words, DKIM alone is almost useless. That's why we also need domain-level reputation services.

For several years, spam and virus control has been assisted by the use of DNS blacklists (DNSBLs). These list rogue IP addresses and address ranges that have been observed sending spam, viruses, or other undesirable content. The lists are interrogated in real time, usually via a DNS query. Several spam control vendors use a form of DNSBL, known as a reputation service. These provide a professionally run service that rates the reputations of IP addresses—good, bad, or unknown.

So today, we have IP address based reputation services, but not the ability to track and report the reputation of a sending domain. In the future, reputation services will be able to track the reputation of sending domains, as well as of IP addresses. This is not possible today, as the purported sender of a message is too easy to forge.

Email sender authentication techniques such as DKIM thus provide the missing piece of the puzzle, by allowing services to track the reputation of a domain. So, as the use of sender authentication becomes more widespread, reputation services will become more useful.

And with sender authentication becoming more popular, trusted authorities need a standard mechanism to vouch for a domain name. For example, a receiving mail system may be able to use SPF/SIDF or DKIM to verify that an incoming message was sent by example.com, but it currently has no standard way of deciding if it wants to receive email from that company.

The Domain Assurance Council (DAC) plans to solve that problem by publishing reputation or accreditation data about a domain name in a standard form. This standard, called Vouch By Reference (VBR), will create a market for organizations that vouch for domains, allowing its members to compete with minimum friction.

By the way, according to his Politech bio, Declan McCullagh is CNET's chief political correspondent, as well as being a rather good photojournalist.

Flies, Maggots, and Russian Brides

Symantec has its latest monthly "State of the Spam Union" report out. A couple of things caught my eye:

1. [REDACTED] is America's most disgusting hamburger restaurant ... food is full of dead insects, such as flies and maggots -- delightful little anti-brand spam this. Must be pretty low volume though, 'cos I've not seen one in my traps.
2. A new use for tweaked images, where each spam message has a slightly different image -- oft-used in stock kiting spam, they're now being used to spamvertise Russian brides! Is nothing sacred?

Naive Bulk Emailers Howl in Protest

This is Andy Oram: pianist, CPSR member, and O'Reilly book editor. Andy's latest weblog post is a quiet rant about how difficult it is for new bulk email senders to navigate around a twisty maze of spam filters.

For example, he writes:

Just this morning, board members of a non-profit I volunteer for were complaining to me that email to board members gets trapped as spam
...
Ryan Bagueros ... told me lots of promising social networking companies are stymied because the emails they send members and prospective members get trapped by spam filters–especially at the major email hosting sites.

My sympathies. But there are two sides to every story.

On the other hand, some social networks behave idiotically and totally deserve to have their mail eaten.

Case in point: tagged.com, which -- let's be charitable -- was less than transparent in its description of what happens when new users signup.

Actually, no. Let's not be charitable. Let's tell it how it is. Email from Tagged.com is spam. It asks new users for the password to their [Hotmail|Yahoo|AOL|Gmail] account. Then, without warning, it spams all the addresses in their address book.

I carefully went through the signup process, using a test Gmail account. This is not a case of clueless users blindly clicking OK.

While I'm on the subject, a general point about email n00bs.

There's a pervasive naivety about what it takes to successfully send legitimate bulk email. It's not as simple as popping a default install of Sendmail onto a DSL connection someplace and expecting the whole world to be overjoyed that you're sending them mail.

Often, people don't know they need help, blindly assuming it's their "right" to have their email delivered to anyone they choose, regardless of how poorly they send it.

Two examples; there are plenty more:

1. Get your FCrDNS right. Don't know what that is? Look it up in Wikipedia. Still don't understand? You probably need help.
2. Behave correctly when presented with a greylisting tempfail. Don't know what that is? Look it up in Wikipedia. Still don't understand? You probably need help.

As I say, plenty more where those came from...

BlackSpider Acquired... Again

Less than nine months after SurfControl bought BlackSpider, it seems that Websense is buying SurfControl. Wow.

BlackSpider is an email- and Web-filtering service. Variously described as "managed", "hosted", "on demand", or "in the cloud", the BlackSpider service competes with the bigger fish such as MessageLabs, Postini, and Microsoft -- the service it acquired with FrontBridge.

In related news, BlackSpider revenues are now about £5,500,000 (US$11M at today's excruciating exchange rate). 40% growth ain't bad.

My chums at BlackSpider must be rubbing their hands with glee. James, Jeff, John, Jonathan, Kevin, et al -- the beers are on you.

PS: calling SurfControl and Websense's PR/AR teams: how come I had to read about this in the Sunday Times first? (Bizarrely, in an article about Peter Gabriel's We7.)

Thoughts on Network Neutrality

Update: clarified the point about IPv6 (see the comments)

Our old friend Curt Monash has a think-piece about net neutrality up on his weblog. In it, he argues for ISPs to sell a premium service tier for high-bandwidth/latency-sensitive applications:

The current Internet [can't] well support … communication-rich applications such as entertainment, gaming, telephony, telemedicine, teleteaching, or telemeetings.

A bold assertion. Certainly if t’were true the anti-neutrality camp would have a point.

I’m not 100% in either camp, but my gut tells me that today’s IP routing technology is holding up well. It’s the lack of investment in sufficient peering bandwidth and router horsepower that’s letting the side down. That and the criminally glacial progress towards RSVP-TE (RFC3209) with label switching and IPv6, a combination that would allow much better traffic prioritisation.

He later clarified his assertion:

I think that in a high fraction of applications that amount to real-time communications, good quality will entail seriously sub-second latency. I don’t think it will soon be affordable to provide that kind of QOS for all traffic. Ergo, tiering. Until we get to unmeteredly-cheap, just-like-being-there transmission of full-room-sized sounds and images, there will be a place for differentiated QOS.

Here's the thing... Those of us that live the other side of the Atlantic live with 250ms latency every day, when we connect to services hosted in North America. I dare say the same is true for those on the other side of the Pacific. There's not much getting around the speed of light.

Yet stuff still works just fine. TCP is designed to get the best out of a latent connection. Even if that latency is unpredictable/chaotic (as is often the case with latency caused by congestion).

I recently ditched my old ISP. It got taken over by a company that appear to be running into the ground. Typical latencies over the first hop grew from 20ms to 500ms (often higher). But even though there was severe network congestion, stuff still worked fine.

Of course, if an application writer makes assumptions that ignore realities such as the speed of light or temporary congestion, their application's going to behave badly. But no premium QoS in the world is going to help that.

My sense is still that the ISPs that are complaining about net neutrality are simply being greedy and don't want to invest money to cope with the growth in usage.

There are perhaps some lessons to be learned from the experience of UK ISPs when many users' connection "suddenly" jumped from fixed-rate DSL connections in the 512Kb/s - 2Mb/s range to an "up to 8Mb/s" service that offers the highest speed that the phone copper can support. How the various ISPs coped with the associated jump in demand makes for a salutary tale.

But that's the subject of another post, some other day...

Update: clarified the point about IPv6 (see the comments)

Stupid Blog Service

Sorry for all the old posts re-appearing as new ones in my feed. Looks like a news version of Blogger decided that adding a category makes an old post new again. Sigh.

More About the CEAS Spam Control Bake-off

Last week, I wrote about the CEAS 2007 Live Spam Challenge (CEAS is the Conference on Email and Anti-Spam). I opined that fair comparative testing of spam control technologies is extremely difficult, especially when behavioural analysis techniques such as greylisting and OS fingerprinting are part of the spam control technology mix.

I wanted to clarify that the test isn't intended to evaluate the relative strengths and weaknesses of existing spam control products (that would be extremely difficult to do fairly, as last week's post pointed out). The intention is to compare some promising new content-based filtering techniques -- techniques that might be employed as components in a cocktail of techniques used by a spam control product.

As Gordon Cormack, one of the test's co-organizers, wrote:

An open competition attracts all sorts of techniques that can be vetted. The methods that are uncompetitive can be discounted, and the "greatest hits" can be tested ... in combination with greylisting ... and other intrusive techniques.

...

One popular fallacy that I run into all the time is, "this test has limitations, so it shouldn't be done." All tests and experiments have limitations, and the scientific method involves identifying them and constructing specific experiments to see how much the limitations matter, not witholding all tests until the perfect one can be done (which, of course, it can never be).

Chatroom Pimping: New Spam Technique

Interesting spam from Taiwan. Just a single line containing a link to a Skype chatroom. What caught my eye was the chatroom subject embedded in the link:

Special price of the wrist-watch

Random thoughts:

• Clearly what's going on here is the need for spammers to remove as much Bayesianable text as possible from their messages.
• There probably needs to be a way that we can report these to Skype so they can quickly take 'em down. Spamcop doesn't work -- Skype is refusing abuse complaints.
  
• Presumably if you were foolish enough to join the chat, you'd get bombarded with ads. for fake Rolexes and the like. Possibly also a vector for malware.

I was foolish enough, but the host was offline. Watch this space for updates on what happens...

IDC's Spam Stats are Conservative?

Mark Levitt is the "Program VP for Collaborative Computing and the Enterprise Workplace" at IDC. His name is on a new report that includes some stats that have raised a few eyebrows.

Ars's Nate Anderson said:

New research from IDC claims that this will be the year in which spam outnumbers person-to-person e-mail for the first time.

Huh? Don't we hear from anti-spam vendors all the time that spam is 60, 70, 80, 99% of all email? Is Levitt living in a timewarp?

Well, reading between the lines of IDC's press release, it seems to me that we're comparing apples with oranges. I think Mark is including the number of legitimate messages that stay inside an organization. This is typically a whole lot more than the amount that comes in from outside. It might easily double the number of messages a user receives.

According to my latest estimates, an "average" email user (whatever one of those is) receives around 40 spam messages per day and 15 legitimate. Me? I get more like 500 spams/day, but that's including several spamtraps.

I love Brad Linder's comment:

Spam filters are a lot better than they used to be, so really what this means is that nefarious companies will continue to send messages that nobody will read this year.

Oh yeah, and the Ars story got dugg, too...

[Hat tip: Techmeme]

CEAS Spam Filter Bakeoff

The fourth Conference on Email and Anti-Spam (CEAS) is planning a bakeoff this year. In the CEAS 2007 Live Spam Challenge, the organizers hope to simultaneously inject a live stream of spam and legitimate email into several spam filters over a 24 hour period.

However, fair comparative testing of spam control technologies is extremely difficult -- by some measures, it's impossible. Because some promising filter techniques rely on examining the real-time behaviour of the sending machine, it proves tricky to provide the exact same stream of email to all the filters at the same time.

For example, some filters attempt to "fingerprint" the sending machine's operating system -- the idea being that, say, a Windows 98 PC has no business submitting email direct-to-MX. In a test that replicates an inbound email stream to several servers, it's tricky to allow the receiving filters to send IP packets back to the true originating IP address in such a way that is fair and equitable for all test participants.

In its defense, CEAS recognizes this difficulty by excluding greylisting from the list of permitted techniques. I'll be watching this one with interest.

Juxtaposition: Kathy Sierra / Personal Branding

It's ironic that Kathy Sierra's experience of the downside of being notable on the internet comes at the same time that people are talking about how employers increasingly see a lack of personal branding as a negative when hiring.

My daily Computerworld column, IT Blogwatch, has more today (but I redacted all the names of the alleged perps. -- don't want to repeat unproven accusations).

Bill Gates Evangelizes Small Teams

In 1989, Bill Gates gave a talk to Computer Science Club of the University of Waterloo. It's recently been made downloadble. An at-times-fascinating listen, he makes this interesting -- yet ironic -- point.

Small teams are good. Organizing software development in small teams keeps your business focussed, efficient, and nimble. In my experience, Bill is right on. All the best and most productive dev teams I've worked on (and with) were between two and four people.

What a shame Microsoft today doesn't practice what Bill preached 18 years ago.

Update: Christophe de Dinechin makes a similar point. HP Integrity VM? Isn't that what used to be called HP Virtual Vault? Wow, small world. Anyone remember OpenMail Anywhere?

Confused About MAPI/RPC, the "Outlook-Exchange Transport Protocol"?

As David and I wrote earlier, Microsoft is now licensing the Outlook-Exchange Transport Protocol. I'm seeing a few people out there confuse this with MAPI. It's not, it's actually something related but different.

You see, MAPI isn't a protocol, it's an API. A protocol is "bits on the wire". An API is a programmatic interface (e.g. the calls implemented by a DLL or shared library).

The protocol is often known as MAPI/RPC (i.e. a remote-procedure-call encapsulation of MAPI -- although it's not as simple as that). Microsoft now has an official name for MAPI/RPC and now are licensing it.

Vendors using MAPI/RPC include:

• PostPath reverse-engineered it to create a Linux-based Exchange replacement
  
• Cemaphore licensed it to create a disaster recovery product
  

In OpenMail and Samsung Contact, we developed a MAPI service provider -- what some people call an "Outlook plugin". This basically translates the API calls made by Outlook into some other API (e.g. OpenMail's UAL or some standard like IMAP). OK, that's an over-simplification, but let's ignore that for now. Scalix continues with this OpenMail-inherited architecture, albeit much-enhanced.

Other vendors created an ugly hack that synchronized its server mail store with an Outlook personal store (PST) file. They'd run a task that would try to keep track of changes in one store and reflect them in the other. (Emphasis on the try, 'cos it didn't always work terrifically well ;-)

Email Marketer helps Spamhaus

This is Derek Harding. Derek is the CEO of an email marketing service provider. No, wait, don't hate him. His company, Innovyx, has signed an amicus brief to support Spamhaus's defence against e360Insight's lawsuit.

(If you've been living under a rock recently, you might not be aware that e360 objected to Spamhaus's assertion that it sent spam, despite numerous documented examples.)

Derek obviously comes at this from a different angle from us spam-haters, but it's nonetheless interesting and a useful addition to the debate. His opinion piece makes interesting reading as a level-header clarion call to legitimate email marketers to do the right thing. Here are some edited highlights:

Everyone knows spam is a problem ... the e-mail infrastructure is under serious attack and is struggling to cope. Meanwhile, many marketers view anything that restricts their ability to send whatever they desire as something to be fought. At best, blocklists and spam filtering systems are viewed as inconveniences to be evaded and worked around. At worst, they're seen as an illegal restraint on trade to be attacked in the courts. Best practices can be ignored when it's inconvenient, and the law is the minimum that you can get away with.
...
Spamhaus fills an important, even vital, role. They deserve our support ... What's in it for us is the survival of e-mail. Poor list hygiene, acceptance of bad practices, refusal to outlaw spam, and failure to support organizations like Spamhaus threaten to kill the goose that lays the golden eggs. We must stop being part of the problem and become part of the solution. We must look past getting this specific e-mail delivered to the bigger picture of ensuring e-mail remains a viable medium.

Richi sez: good stuff. Spamhaus is not the enemy of legitimate email marketers who send to people after having obtained informed consent and who honour the withdrawal of said consent.

Symantec's Internet Security Threat Report

Symantec has just released its twice-yearly Internet Security Threat Report. This contains plenty of interesting data from the perspective of Symantec's Security Response team. Well, "interesting" if you're interested in that sort of thing...

Here are some highlights (percentage changes are over a six month period):

• About half of identity thefts are caused by loss or theft of laptops and other hardware containing personal data
• Denial of Service attacks are down about 20%
• Botnet activity is up by about 10% (in terms of number of active zombies)
  • China hosted about one quarter of these zombies -- more than any other single country
  • The U.S. hosted about 40% of the botnet command-and-control nodes
• New vulnerabilities (e.g. in Windows or Web applications) were up about 10%
  • Operating system vendors are taking "longer" to patch vulnerabilities (no quantitative data disclosed)
• The Stration family of worms was the most widely-reported
• Email is still the most-used vector for propagating viruses and other malware -- at about 75%
• Phishing is up 5% in terms of numbers of campaigns, and about 20% in terms of volume
  • Phishing attacks are more likely to be sent on a weekday than at the weekend
• Stock kiting and other financial services spam represented about a third of all spam

Drop Everything and Patch Symantec Mail Security for SMTP

Running Symantec Mail Security for SMTP? Stop what you're doing and download the patch (patch 176 at the time or writing).

Seems like a craftily-crafted incoming message can cause a buffer overrun. This may lead to code execution. [Update: Symantec now confirms that they see no chance of arbitrary code execution, merely denial of service.]

Currently being exploited. The code in question tries to infiltrate a Microsoft SQL Server, presumably in order to steal passwords. Another good reason to segment your servers so that they each have a single role; perhaps using virtualization.

Of course, a patch for this bug has been available for eight months, but that doesn't seem to have stopped exploits causing some trouble over at Turner Broadcasting System.

So run: don't walk. More at US-CERT.

Why You Shouldn't Buy from Spammers

Aside from the obvious ("because it only encourages them"), the U.S. Food And Drug Administration offers another, more worrying reason:

A number of Americans who placed orders for specific drug products over the Internet (Ambien, Xanax, Lexapro, and Ativan), instead received a product that ... can cause muscle stiffness and spasms, agitation, and sedation ... Preliminary analysis indicates they contain haloperidol, the active ingredient in a prescription drug used primarily to treat schizophrenia.

Ouch. No surprise here: spammers are Bad People. Lest we forget, spam isn't merely an productivity-sucking irritant.

I'm indebted to the FDA for providing the following photos and captions. More at the FDA site.

Back photo of yellow Haloperidol with “H 2” imprinted on the tablet.

Front photo of yellow Haloperidol with “Janssen” imprinted on the tablet

Plastic bag containing yellow Haloperidol tablets as received by consumers

Mailing envelope in which tablets were shipped to consumers

Mailing envelope in which tablets were shipped; yellow tablets, and the clear plastic bag in which they were contained. The ruler was placed for size comparison purposes

Mailing envelope in which the tablets were shipped to consumers. The ruler was placed for size comparison purposes.

White Haloperidol in blister pack

Yellow Haloperidol in blister pack