John Levine re-blogged a post I sent to an antispam mailing list about what to do when you find out you've got a zombie spambot, with my permission, on his blog. So I'm linking to it here.
Posted by schampeo at 12:12 PM
So, since the 2nd of May we've been dealing with an increasing load of Sober.L and its ilk. According to Sophos, the mail traffic from the virus accounts for over 4% of all email traffic seen currently, and accounts for roughly 80% of all the virus traffic. Looks like despite all of the previous warnings, everyone is getting caught by surprise, again.
We've seen several hundred messages forged from hesketh.com addresses to hotmail addresses, all from a single machine on the msu.edu network. This added to the ongoing outscatter from the joe job (quick: blacklist salver.info) has kept me from posting, along with a nasty flu bug and various other troubles (including a G3/900 CPU card upgrade that decided to release its magic smoke on Tuesday, leaving me with an extremely unhappy Pismo Powerbook and the old G3/400 card back in place after two and a half years and a new emergency iBook G4) have kept me from blogging. Will try to make up for the past few days over the next few days ;-)
Posted by schampeo at 3:29 PM
John Levine explores in this piece at CircleID whether it makes sense to implement a "path authentication" scheme for URLs, similar to SPF, in which a bank (or any other entity, for that matter) can declare the servers that URLs in email messages are allowed to refer to. Seems pretty hopeless to me, it would be far better to simply implement a warning popup when the URL shown inside a link's text doesn't match the URL in the actual href, or to just stop pretending that HTML email can be made secure, but that's the radical in me talking now...
Posted by schampeo at 3:19 PM
PC Pro is reporting a claim by CipherTrust that 157,000 new spam zombies are created every day, and that a fifth of them originate in China. As if you didn't already have enough reason to block mail from China, here ya go. (via spam-l)
Posted by schampeo at 6:41 PM
In a play on words on "phishing", the practice of suckering victims into giving up their personal financial information via forged HTML email, it seems the latest scam is being referred to as "pharming". It's difficult to tell from the article, but it seems to involve hijacking the DNS resolvers of vulnerable systems by the usual virus/worm infection routes, then directing unsuspecting customers to fake Web sites that are difficult to tell from the real banking sites.
Perhaps the best way to catch these scams is to carefully monitor whether your bank site is secured via SSL (check the Location: field in the browser for "https" or various other signals, such as a blue padlock). The browser vendors are already coming under fire for not tracking their user's histories to provide a notice such as "the last time you visited suchandsobank.com it was via a secure channel - do you want to proceed?" (via interesting-people)
Posted by schampeo at 7:18 PM
Looks like there's a new version of Sober worm, and unsurprisingly, it has caught too many people by surprise.
Posted by schampeo at 1:29 PM
A recent story from CNN on a shift in antispam strategy: going after the spammers before the spam leaves your own network; rather than turning a blind eye to it and only fighting to keep it out of your own network, ISPs are now looking harder at ways to keep it out of other people's networks, too. Of course, this is not new - some ISPs have long blocked outbound direct-to-MX SMTP using port 25 blocks or redirection to their own mail servers (Earthlink/Mindspring comes to mind as an example in the US, and they're also featured in this article) - but due to developments over the past year or so in the zombie spambots used to proxy spam from elsewhere, and the shift to SMTP AUTH and port 587, ISPs are having to think about containment. And that translates into less spam everyone else has to deal with if they can keep it from reaching our servers in the first place.
Posted by schampeo at 1:14 PM
Walt Mossberg's column in the Wall Street Journal today covers how to secure Windows against the various threats posed to it by virus authors, zombies, spam, and the poor design of Windows in general. The usual recommendations are all here: run antivirus software, keep Windows up to date, trade up from Internet Explorer to FireFox, run antispyware scans, or, if you're just sick of it all, switch to MacOS X.
Posted by schampeo at 9:23 PM