Blog: SPAM

Recently a user at a customers site was having trouble sending email.  I ran a script that connected to each mail server and specified the sender and recipient to see if any would get errors.  One refused to accept the email because the reverse DNS lookup on the source IP failed.  So the lesson to learn here is this.  If something does not work, try to figure out where it is broken and try to see exactly what is going on in that part that is broken.  But wait - that's not the end of the story because the user was sending email to 27 recipients and none of the messages were being delivered.

Mr. Peabody, set the WABAC machine to February 2004.  Microsoft has just published a paper "The Coordinated Spam Reduction Initiative". [more]

http://old.openspf.org/caller-id/csri.pdf

Section 11 is about Computational Puzzles For Spam Deterrence.  The idea is to have the computer sending email solve a puzzle that require a lot of resources, usually CPU time, but verifying that solution is fast.  The idea was to make it expensive for spammers to send out spam.  I know this sounds silly now with botnets having 1000s of machines sending spam.  But did you know Microsoft actually implemented this in Outlook 2003?  And did you know it is still in Outlook 2007?  And did you know it is still in Outlook 2010?  It's called postmarking now, but it is still the same computational puzzle.  This is only used when it thinks your email might look like spam.

Ok, so the way this works is that Outlook or your Exchange server generates the puzzle solution and adds it to the email headers.  It uses the header "x-cr-hashedpuzzle".  RFC 2821 (Simple Mail Transfer Protocol) states "The maximum total length of a text line including the <CRLF> is 1000 characters".  This x-cr-hashedpuzzle is quite long, so it is broken up into several lines.  The first line is 1000 characters, but the continuation lines have a <tab> inserted at the front, causing them to be 1001 characters long.  If this happens to be going through an ASA with ESMTP inspection enabled, it will send out resets to close the connection because it violates the RFC.

This is why the user I was working with could not send email to a list of 27 recipients. I removed the SMTP inspection on our ASA (which I have been wanting to do anyway) to work around this.

The following Special Alert was released by the FDIC concerning e-mails being sent that claim to be from the FDIC.  These e-mails are attempting to trick recipients into installing unknown software on personal computers. The subject line of the messages is: "Funds wired into your account are stolen." Here is a copy of the FDIC's Special Alert: [more]

The FDIC is aware of e-mails appearing to be sent from the FDIC that ask recipients to open and review an attached file. Currently, the subject line of the e-mail states: "Funds wired into your account are stolen." The e-mail is fraudulent and was not sent by the FDIC.

The fraudulent e-mail tells the recipient that proceeds from identity theft crimes have been wire-transferred into their bank account. The e-mail then directs the recipient to open and review an attached copy of their bank account statement and to contact their bank account managers.

The attached file is actually an executable file containing malicious code or software. Recipients should consider the attached file as a malicious attempt to collect online banking credentials or other personal and confidential information that could be used to gain unauthorized access to on-line banking services or perpetrate identity theft and other criminal activities.

Recipients of the fraudulent e-mail should not reply and should not attempt to open the attached file. According to reports received by the FDIC, many antivirus software programs have been detecting and removing the malicious attachment before the e-mail is delivered. However, if a recipient does open the attachment, the FDIC recommends updating anti-virus software patches and performing a complete scan of the computer and network, if applicable. If a computer becomes infected and the user encounters difficulties removing the malicious code, users should contact their anti-virus software vendor. The FDIC highly recommends using anti-virus software.

For additional information about safe online banking and avoiding online scams, visit http://www.fdic.gov/consumers/consumer/guard/.

For your reference, FDIC Special Alerts may be accessed from the FDIC's Web site at www.fdic.gov/news/news/SpecialAlert/2008/index.html.

Over the past several days AT&T customers have reported a drastic increase in the number of non-spam messages being rejected by AT&T SPAM filters.  [more]

The sender may receive a message such as "An error occurred while trying to deliver this message to the recipient's e-mail address.  The following organization rejected your message: att.net", and the receiver might view a log with a message similar to "550 Error. Blocked for abuse".  However, many of the messages are from legitimate users or companies.

To get the sender off of the "SPAM" list, you can either call AT&T or submit appropriate information into the form on the following website provided by AT&T, http://worldnet.att.net/general-info/mail_info/block_admin.html

To read more, visit http://www.techdirt.com/articles/20080325/002950640.shtml or http://www.theregister.co.uk/2008/03/24/aggressive_att_spam_filters/

There has been a recent increase in “greeting-card spam” that tries to compromise users by getting them to visit malicious websites. The subject line most often states, “You've received a postcard from a family member!” Within the message body, users are given options on how to retrieve their “postcard”. Links in the message direct users to malicious websites where their browsers may be attacked, or they may be prompted to download and execute malicious software. Attacks are directed at both Microsoft Internet Explorer and Mozilla Firefox browsers.

Users should be very cautious when following links in e-mail messages. Links to foreign domains (e.g. http://someaddress.hk in Hong Kong) or directly to IP addresses (e.g. http://123.123.123.123) should almost always be avoided.

Also, it is important to keep operating systems and software up-to-date with the latest security patches, as well as keep antivirus software virus definitions current. [more]

For more information about this attack, please refer to the following article:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9025898

For information and guidance on protecting your organization from these types of attacks, please contact contact us.