MX Messaging Resources

Happy New Year! 2009 is expected to be a year of more spam challenges and new sophisticated spamming techniques from spammers. Now that the Presidential Election is over we can put the Election Spam to rest, but  thanks to the economy, an increase in targeting the down and out, the tax-rebate-hopeful and the naive pull-yourself-up-by-your-bootstraps market is expected.

According to spam experts, the next few months will be very telling as to how many and how advanced spam and phishing will be in 2009. Spam and Phishing are expected to target taxpayers who are expecting both tax refunds and tax relief under President Obama's proposed stimulus package. Since out tax system does involved the process of collecting personal data, tax time can be tricky for the technology and Internet naive as they may fall victim to professional looking Phishing sites or authentic looking spam emails.

With the jobless rate rising, an increase in spam targeting the unemployed is also expected. Recipients should be wary of mail offering low-cost diplomas and certifications, home-business scams, and also of offers of credit or debt help.

We have also observed that spammers are continuing to piggyback on legitimate newsletters and using the reputation of major social networking sites to try and deliver spam messages into recipients’ inboxes. The social networking spam messages were carefully crafted to closely mimic the legitimate notification emails often distributed from social networking sites.

As always we recommend having up-to-date Anti-Virus software on all local computers and on your mail server as well. We also recommend implementing a Business Enterprise Email Solutions that provide an avenue of protection from Spam, Phishing and Blacklists:

You Manage the Server And Let FlexBox Manage the Security

FlexBox Junk Mail is a complete, enterprise-grade email security solution. By filtering inbound and outbound email traffic outside of your network perimeter, you will improve your mail server’s security, performance and delivery rates.

• On-Demand Email Security For Organizations and Professionals that Manage Email Servers
• Business Grade Inbound / Outbound Email Filtering
• Inbound Filtering: Stop Spam, Virus and Phishing Problems
• Outbound Filtering: Solve Blacklist and Other Delivery Issues
• Proactive Management of Outbound Mail for Blacklist Protection
• Spools Mail Automatically if Your Server is Down
• Improves Security, Performance and Reliability
• On-Demand Service Means No Software, No Hardware and No Maintenance
• Easy Administration makes Managing Your Email Even Easier
• Patent Pending Technology lets You Migrate to Emergency Mail and Managed Mail Instantly, on a Per User Basis

The threats to your email server are daunting. Highly skilled, highly organized cyber-criminals constantly probe for weaknesses to exploit. Without adequate defenses, your server will be flooded with spam, used to send spam, or worse. You shouldn’t have to fight these battles alone...

FlexBox secures your server and keeps you from having to spend time putting out any more email fires.

And, FlexBox Junk Mail is the ONLY email security service that let’s you migrate individual users to advanced or emergency services in real time. You manage the server and let FlexBox and the MxToolBox Email Experts back you up.

Call 866-698-6652 to speak with a FlexBox specialist and start your 30 Day Risk Free Trial.

The Prognosis

If you've seen more spam getting through your filters this winter, it's probably not because the developers and technicians that build and maintain your anti-spam / anti-virus decided to hang out at the pool until Fall. It's likely because the overall volume of spam and viruses continues to push boundaries never before seen. Couple this with the myriad of new techniques and tactics and, well, the security community has to scramble to keep up.

As for MxToolBox, we've worked hard to make sure our FlexBox Email Security Service has provided the highest possible level of protection for our customers mailbox's though this winters spam season.  

Photo Credit: SpamCop

from: Washington Post & Web Marketing & Industry News

In the fallout resulting from knocking McColo Corp. offline, this past week may prove to be a missed opportunity in the prevention of a dramatic reappearance of junk e-mail, as a botnet that once controlled 40 percent of the world’s spam apparently has found a new home.

The botnet Srizbi was knocked offline Nov. 11 along with Web-hosting firm McColo, which Internet security experts say hosted machines that controlled the flow of 75 percent of the world’s spam. One security firm, FireEye, thought it had found a way to prevent the botnet from coming back online by registering domain names it thought Srizbi was likely to target. But when that approach became too costly for the firm, they had to abandon their efforts.

“This cost us a lot of money. We engaged all the right people. In the end, it comes back to the fact that there wasn’t a process in place to do what we were trying to do,” said Alex Lanstein, senior researcher at FireEye. “The day after we stopped registering the domains, the bad guys started picking them up.”

According to FireEye, Srizbi was the only botnet operating through McColo that had a backup plan in case their master control servers were ever unplugged: The malware contained a mathematical algorithm that generates a random but unique Web site domain name that the bots would be instructed to check for new instructions and software updates from its authors.

Shortly after McColo was taken offline, researchers at FireEye said they deciphered the instructions that told computers infected with Srizbi which domains to seek out. FireEye researchers thought this presented a unique opportunity: If they could figure out what those rescue domains would be going forward, anyone could register or otherwise set aside those domains to prevent the Srizbi authors from regaining control over their massive herd of infected machines.

In addition, by registering the domains, FireEye, a startup, could gain valuable intelligence, such as where the individual bots were located and how many there were. The problem, FireEye quickly found, was that each variant was designed to seek out a different set of four rescue domains every 72 hours. To make matters worse, the company identified more than 50 variants of Srizbi in circulation, impacting 500,000 systems. Those that were deficient or ill-programmed in some way controlled fewer victims — anywhere from a few hundred to a few thousand computers. The more virulent strains of Srizbi, however, controlled upward of 50,000 systems, FireEye found.

That meant that to prevent the Srizbi authors from regaining control over their herd, FireEye would have to register more than 450 domains each week just to stay a step ahead of the bad guys. But each domain name registered costs money. FireEye spent $4,000 buying up future domains that might be sought by stranded Srizbi bots.

FireEye researchers thought that with that kind of firepower at their fingertips, they could have instructed each of the infected systems to uninstall the bot program. But the FireEye researchers surmised that such an action would not only be illegal but that commanding all of the bots to uninstall their infectious code would run the risk of doing serious damage to the systems. Srizbi, like most other sophisticated botnet programs these days, hooks into systems at a fundamental level, and removing it occasionally causes an infected system to stop working altogether.

“We could tell these bots to uninstall themselves from most of the machines, and the whole process would probably take a few seconds,” Lanstein said. “But even if it were legal to do this, what would happen if removing the malicious software messes up some of these machines even worse?”

Srizbi had already shown it was fully capable of resurrecting itself. Joe Stewart, director of malware research for Atlanta-based SecureWorks, has documented how the Srizbi botnet’s built-in rescue system can bring a lost herd of hacked computers back into the fold.

In October 2007, a massive blast of spam was sent through the Srizbi botnet promoting U.S. presidential candidate and libertarian Ron Paul. SecureWorks found that the control servers used by Srizbi for that spam run were all located at McColo, and reported the location of those servers to the now defunct hosting provider. Stewart said McColo responded by changing the Internet addresses of those control servers, which was enough to strand all of the bots seeking new instructions. When the backup mechanism in the bots caused them to search for new Web site names a few days later, the criminals who controlled the network were able to regain control over it by registering those Web site names.

A week ago, FireEye researcher Lanstein said they were looking for someone else to register the domain names that the Srizbi bots might try to contact to revive themselves. He said they approached other companies such as VeriSign Inc. and Microsoft Corp. After FireEye abandoned its efforts, some other members of the computer security community said they reached out for help from the United States Computer Emergency Readiness Team, or US-CERT, a partnership between the Department of Homeland Security and the private sector to combat cypersecurity threats.

Officials at US-CERT, however, have not responded to e-mails and phone calls requesting an interview about this story.

If others had gotten involved, there were a couple scenarios that could have played out. One was for an ISP or registrar to gain clearance to “sinkhole” all of the Srizbi bots, essentially tying them up eternally by pretending to have the instructions the bots were seeking but never quite giving those bots the complete answer. The other was for an accredited registrar to register all of the domains sought by the Srizbi variants.

Ultimately, the FireEye researchers, under pressure from their managers to stop incurring expenses for registering the domains stopped their efforts Nov. 24. According to FireEye, sometime on Nov. 25, unknown individuals in Russia apparently registered the remaining domains, thereby regaining control over the world’s largest spam botnet.

Devnet allow our customers to have a 21 day test drive of Postini Email Security, which helps prevent your company from being affected by such issues.

Credit: John E. Dunn, Techworld.com

The dramatic fall in spam traffic reported last week after alleged rogue ISP McColo was taken offline will only be a temporary reprieve and could actually generate a new wave of Trojans, experts have warned.

ISPs disagree on the global percentage drop caused by the shuttering of California-based McColo last week, with estimates given by those contacted by Techworld ranging from 50 to 80 percent, but even the lower figure is still an unprecedented fall in such a short space of time. It appears that even those who were aware of its use as a hosting port had not guessed that a single ISP could be behind such a huge chunk of the world's spam.

"Our servers haven't been so relaxed for months," said Richard Cox, CIO of respected spam-fighting organisation, Spamhaus, ruefully. "This proves how important it is for the law to get at this sort of criminality."

Nevertheless, Cox doubted that the improvement would last long, and could actually lead to a rise in Trojan attacks as spammers using McColo to host botnet control infrastructure, attempted to reconstitute their networks elsewhere in the coming weeks.

Paul Wood of MessageLabs said his company had also seen spam dipping sharply, which had hit specific troublesome botnets hard.

"We documented a massive drop in spam volume to levels, eight times less than typical volumes for a period of 12 hours, immediately following the takedown before spam levels began to rise again," he said.

"Further analysis of our metrics would suggest there has been an 80 percent drop from Mega-D and 60 percent from Srizbi; Rustock is down by 50 percent and Asprox down by 80 percent. Overall botnet traffic has reduced by approximately 30 percent in the 24 hours following the takedown."

In fact, McColo was the third ISP of significance to the criminal world to face disruption in a matter of weeks, he said, referring in particular to the de-peering of Intercage by ISPs in September.

How the botnet controllers reacted in the coming weeks would depend on how easily they could regain control of compromised, 'zombie' PCs. If that proved hard, it was possible that new PCs would need to be hit with Trojans in order to start new botnets from scratch.

"It depends on the botnet in question and whether the bad IPs at McColo can be re-activeated by another rogue ISP sooner or later," he said.

Adam O'Donnell of Cloudmark was less convinced that the reduction in spam volumes held much significance for the average user, especially business users sitting behind filtered connections.

"We have seen a drop in IP connection attempts that would have been dropped anyway," he said. "This is not like cleaning up a mess in the street," and the problem would return once the botnetters had found new hosters. "I give it two weeks," he said.

Despite the relentlessly upward movement in spam volumes over time, the occasional fall is not unheard of, with a single botnet going offline reportedly reducing traffic in early 2007.

According to Ed Rowley of recently-merged spam filtering outfit Marshal8e6, McColo could have a positive long-term effect in at least one way, that of convincing the authorities that tacking spam was now possible. In the past, the industry had been reluctant to shut down other ISPs, regardless of evidence of wrong-doing, but this might now change.

"There is a strong feeling that this [closing problem ISPs] is not a bad thing," he said.

A massive reduction in Spam has been witnessed since an alleged Californian based ISP was closed down last week. Industry bodies have long been raising awareness of the volume of Spam which appears to come from the San Jose based business, McColo Corp., but it is only now that the providers of Internet Connectivity to McColo have acted.

However, before celebrating too quickly, this is the lull before the storm as businesses globally could be taken by surprise when SPAM volumes return to previous levels in the run up to Christmas and the spamming operations relocate. MxToolBox also warns that with such a key player in the SPAM market removed, the SPAMMERS will be quick to find new methods and new technologies - as well as resorting to traditional methods of using the unsuspecting Enterprise networks to host their Botnets and distribute their messages.

With McColo allegedly being the master hosting centre for the biggest botnet offenders, Mega-D, Srizbi, Pushdo, Rustock and Warezov, the hunt is on to find new hosts. Roughly there are 7 million computers infected with either Srizbi or Rustock sending spam over an average one-month period.

Apart from being a massive centre for botnet hosting, the servers at McColo have recently been the subject of investigation by private security researcher, Jart Armin, who documented the activity at McColo in a report published today which claims that McColo is currently hosting at least 40 different child pornography Web sites or sites that collect payment for the illicit content -- and that traffic analysis showed that one of the sites garnered between 15,000 and 25,000 visitors each day. 

How can small businesses ensure that they are protecting their information and infrastructure from spam or other malicious attacks?

1) Allocate an adequate amount of resources ($) to proactively protect information- As a rule of thumb, small businesses should expect to spend approximately $200 per month, per user for information security. The amount spent on security should rise every year in proportion with the amount spent on new IT hardware (PCs, Laptops, Servers etc.) and software.

2) Continuous Administrator education on threats- Protect against threats at the network and hardware levels, but avoidance information should always be passed down to the user base. Users are notoriously undereducated on how to avoid security breaches...especially phising scams and other social engineering scams designed to deliver web based malware.

3) This is related to 2 above...lock down your perimeter(s)- Email Filtering, IM Filtering, Web Filtering, Wireless Network Encryption and Mobile Messaging Protection should all be robust and employed at all entry points.

4) Be ready- Remember, it is far cheaper and far easier to have a proactive info security policy than it is to recover from a breach.

5) Back up critical data offsite. Most authors do not present data backup as a security issue...but it is (in fact, it is more than a security issue, but it definitely intersects with security). If there is a breach (or natural disaster for that matter), you need to know that your data is safely backed up and easily accessible somewhere far from the reach of the Cyber Thugs.

Over the past two weeks, we've seen waves of high-volume attacks (over 15% of all spam messages) using false CNN and MSNBC content. Our botnet protection has blocked the vast majority -- over 99% -- of these attacks and mutations, and we continue to release filter updates that automatically delete some variants.

We'd like to provide you with an update on recent spam attacks.

Our message security vendor has advised us on high volumes of bogus CNN and MSNBC messages that contain links to download malware. Spammers have copied the contents of CNN and MSNBC alerts and substituted a link that prompts users to upgrade to a new version of a fake Adobe Flash player.

The security service has detected and blocked the vast majority of these attacks, and continues to release protections to stop the new mutations. Their capture rate is over 99%; however, the attack volumes are so large (in the hundreds of millions of messages) that a 1% passthrough rate means that a few messages may end up in your inbox.

For best security practices, if you see any CNN, MSNBC, or suspicious news alert messages:

• Do not deliver these messages from your Message Center or Quarantine Summary.
• Delete these messages from your inbox.
• Do not click on any links in the messages.

If you need to access CNN or MSNBC content, visit the website directly.

Please be assured that our security service considers virus and spam protection as their highest priority, and continues to be on the cutting edge against new spam attacks and tactics.

---

Virus and Spam Trends

Following is the summary of email threats and trends we track for our user base of over 40,000 organizations.

Viruses Increase: In July, our systems recorded the largest volume of email virus attacks of the year. On July 20, our zero-hour virus protection technology detected and caught emails that contained a spoofed UPS package-tracking link intended to lure recipients into clicking it and downloading malware. This virus wave peaked at nearly 10 million messages on July 24.

On August 5, we experienced a large inflow of messages with an encrypted .RAR attachment. While the use of attachments as a virus delivery mechanism generally decreased in 2008, this new virus showed that tactics continue to vary.

Spam Levels Remain High: April showed peak spam volumes for 2008, but the overall level of spam remains high this summer. The average user has received 133 spam messages per day this year. Our statistics show that the average unprotected user would have received 36,000 spam messages in 2006 and 36,000 in 2007. This year's July total shows a 68% growth rate over the same time in 2007. In short, spam attacks in 2008 have not let up from previous years.

If you are encountering problems with mail referencing ORDB.org on your Microsoft Exchange 2003 or 2007 server, or mail being blocked with a return message stating that the sender's IP was on relays.ordb.org, please ensure that you do not have relays.ordb.org entry configured in the IMF settings. You MUST restart the SMTP Virtual Server to release this setting.

 

The ORDB was an open relay data base which listed open relays which has recently closed its doors. Most RBLS (real time blacklists) when they wish to dissolve will commonly blacklist the entire internet in order to get the attention of those people using them to stop attempting to contact their IPs.

For more information please see the ORDB Problems page on our support site.
 

Update: As of Feb, 5th 2009 the MxToolBox Forums have moved to http://community.mxtoolbox.com/forums