Egregious Thoughts
[User Info] [Recent Entries] [Friends] [View Subjects] [Archive]

Tuesday, January 23rd, 2007

url blacklists

One of the most useful antispam techniques of late has been the "URL blacklist". This compares all URLs found within a message body against one or more global lists of URLs that are related to spam. SpamAssassin uses several such blacklists together and performs very well.

Recently I have seen a couple of messages leak through my filters that contain text such as this:

http://www.px555*com ( Do not forget to replace "*" with "." )

Another one used a different instruction like "remove the * from the middle". Looks like SpamAssassin needs to implement a more relaxed check for spammy urls.

But really, who is it that keeps buying stuff from these spammers even with such anti-anti-spam measures in place? What kind of person thinks these are legitimate businesses with the customer's best interests in mind?
(3 comments | Leave a comment)

Tuesday, May 30th, 2006

another spam filter rendered ineffective

A while ago I turned up as much spam and junk mail protection stuff as I could find in my Postfix configuration. Specifically, I had the following options set:

smtpd_helo_restrictions =
    reject_invalid_hostname
    reject_non_fqdn_hostname
    reject_unknown_hostname

Last week, Amy was contacted by somebody who had tried to send her an email but the email was rejected by my mail server. We hadn't yet got back in touch with him to try to find out what the problem was. I started to pay more attention to my spam rejection logs just in case something was amiss. Today, I noticed that my mail server rejected some sort of newsletter from Google. Upon further investigation, it seems that the Google server that sent the mail was using a HELO name that wasn't resolvable. This condition is checked by Postfix on the reject_unknown_hostname restriction.

I decided that if even Google can't always get it right, then I should probably stop rejecting email for an unresolvable HELO name. So I turned off the three restrictions listed above.

Later today, we got a phone call from the company here in New Zealand who is handling the import of our household goods. Apparently, they had tried to email me earlier but the mail had been bounced back, rejected. I looked through the mail server log and found that they, too, had sent from a server with a misconfigured HELO name (it even ended in .local). The mail had come through on a retry after I had removed the HELO name restriction.

That pretty much does it for that filter. If companies as small as a local goods importer and as big as Google can't get it exactly right, I run the risk of rejecting all kinds of legitimate incoming email. As much as I dislike getting spam, I dislike losing real email even more.

[info]decibel45 keeps telling me I should be using one of those scoring filters that doesn't outright block a message for just one SMTP transactional failure. It might take a while for me to get motivated enough to mess with my Postfix configuration again.

(5 comments | Leave a comment)

Tuesday, May 9th, 2006

stock spam disclaimer

I happened to read the disclaimer text at the bottom of a stock spam I got today. I was amused (emphasis mine):

Information within this report contains forward looking statements within the meaning of Section 27A of the Securities Act of 1933 and Section 21B of the SEC Act of 1934. Statements that involve discussions with respect to projections of future events are not statements of historical fact and may be forward looking statements. Don't rely on them to make a decision. The Company is not a reporting company registered under the Exchange Act of 1934. We have received two million free trading shares from a third party not an officer, director or affiliate shareholder. We intend to sell all our shares now, which could cause the stock to go down, resulting in losses for you. This company has revenues in its most recent quarter with the float currently increasing. Read the Company's Annual Report if one is available and Information Statement before you invest. This report shall not be construed as any kind of investment advice or solicitation. You can lose all your money by investing in this stock.

Seems to me that those statements are even more pessimistic than usual.

(3 comments | Leave a comment)

Sunday, April 30th, 2006

hall of shame

Further to my previous entry about people responding to spam, I heard back from one of the people I sent a response to. I'll back up a bit and show you the whole exchange. First, his original message to me:

From: "Don" <...@cox.net>
To: "Rosamund Stephenson" <lchta@hewgill.net>
Subject: RE: monsoon

Ok knock your shit off please and stop sending me this

[original spam message quoted in his message]

My response:

From: "Greg Hewgill" <greg@hewgill.com>
To: "Don" <...@cox.net>
Subject: RE: monsoon

On Fri, Apr 28, 2006 at 08:29:26AM -0700, Don wrote:
> Ok knock your shit off please and stop sending me this

I understand you received some spam that appeared to be from an email
address in a domain I own (hewgill.net). Unfortunately, today spammers
are using software that can easily forge the "From" address on email
messages. They don't use their own name to try to hide their identity.
They insert random email addresses from domains they don't own and so it
looks like the spam came from me. I can assure you that it did not.

If your email provider has a spam blocking system, you may want to try
turning that on. On my own email system, I have a number of different
layers of spam protection and it brings the spam down to a manageable
level (I receive thousands of spam messages per day, most of which are
automatically blocked). With luck, people will stop buying products from
spammers and it will no longer be profitable for them to send their junk
mail.

Have a great day.

Greg Hewgill
http://hewgill.com

I thought that was clear, succinct, and quite understandable. However, our friend Don appears to have not read any further than the very first sentence:

From: "Don" <...@cox.net>
To: "Greg Hewgill" <greg@hewgill.com>
Subject: RE: monsoon

Own it or not I don't need it so STOP sending me this

Of course he didn't read my explanation about forging of email headers; he didn't read that I did not personally send him that spam; he did not read about my recommendation regarding spam filters; he did not read that I too am subject to receiving spam from junk mailers; he is probably not even having a great day today. I had originally thought about mentioning SPF and how that would have prevented him receiving the message in the first place, but I'm sort of glad I didn't waste my energy. (Instead, I'm using that energy to rant about this here.)

Perhaps I'm old and jaded (at least in internet years), but it's surprising to me that people using the internet today have no clue how email works. I imagine our friend Don could, perhaps with a bit of effort, understand what happened if he received a forged written letter in his mailbox delivered by the post office. However, the same does not appear to be true about email delivered by his computer. If he hits Reply, the message must go back to the person who sent it, right? I fear for him if he ever starts receiving phishing messages.

Ok, I know this is boring. I'm done for now.

(18 comments | Leave a comment)

Saturday, April 29th, 2006

take me off of all your lists

I received two email messages today from other hapless internet users, in response to spam messages they received. I wrote up a nice reply to both of them, explaining that spammers forge email addresses and I did not send the spam myself (the spam messages had random email addresses in the From field, with my domain name).

Upon further investigation, they seem to have both received the same stock "strong buy" spam for some Chinese pharmaceutical company. Looking at today's stock price, the spam appears to have worked. With the stock price rising 100% in just one day of trading, clearly this has made somebody a serious amount of cash. It's impossible to say whether this spam message alone influenced the stock this much, but I don't see any other recent news releases, or any other reason for the stock to jump like that.

If people continue to react posivitly to spam they receive, creating huge profits for those behind the scenes, there is precious little hope for spam to go away.
(4 comments | Leave a comment)

Monday, February 20th, 2006

paypal and phishing

I got the following message in email today. The "phishing" detector in my brain went off immediately, but on further inspection it appears that this message really did come from Paypal.

Subject: Notification of Limited Account Access

Dear Greg Hewgill,

As part of our security measures, we regularly screen activity in the PayPal system.
For your protection, we have limited access to your account until additional security measures can be completed. We apologize for any inconvenience this may cause.

To review your account and some or all of the information that PayPal used to make its decision to limit your account access, please visit the Resolution Center. If, after reviewing your account information, you seek further clarification regarding your account access, please contact PayPal by visiting the Help Center and clicking "Contact Us".
We thank you for your prompt attention to this matter. Please understand that this is a security measure intended to help protect you and your account. We apologize for any inconvenience.

Sincerely,
PayPal Account Review Department

PayPal Email ID PP522

This message seems non-phishy due to the following aspects:

  • My full name is used, not something derived from my email address
  • There are no links to click on (ie. "click here to visit the Resolutions Center")
  • The message headers (below) indicate no evidence of forgery
  • The IP address it was sent from matches the SPF record at paypal.com

Paypal is in the unenviable position of having to fight with all the phishers when they really do want to email a notification to their customers. It appears that this is the best they can do, and of course the phishers will imitate this style of message as closely as possible, which makes Paypal's original message look like junk mail. It's an uphill battle for them.

Now I'm curious about what they've done with my account.

full message headers )

Update: I logged on to Paypal and they appear to only have expired my password. No other outstanding issues were to be found in their "Resolution Center" after logging on. I've found that Paypal seems to expire my password frequently (once every month or two), and asks that I supply a new, different password plus configure two new security questions. Perhaps I've been getting a message like this every time they expire my password but this is the first time I noticed it wasn't a phishing message.

I just checked my mail and one second after receiving confirmation of changing my password and security questions, I also got:

Subject: Your PayPal Account has been Restored

Dear Greg Hewgill,

We have completed our review and have restored your account.

Thank you for your patience during this process and for helping to make PayPal the safest and most trusted online payment solution.

Sincerely,
PayPal Account Review Department

Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance, log in to your PayPal account and click the Help link located in the top right corner of any PayPal page.

PayPal Email ID PP203

Thanks Paypal. Hardly a pleasure doing business with you.

(3 comments | Leave a comment)

Tuesday, December 27th, 2005

the war on spam

I've been working again on making sure my mail server does the best job it possibly can at rejecting spam and other unwanted email. I recently wrote a Postfix log file scanner that summarizes the reasons why email is being rejected. You can see the current summary here (this shows the statistics for the current day since 00:00 UTC).

A few things about this summary are interesting:

  • I suspect a lot of the entries in the "HELO (unknown)" list are actual SMTP servers, relaying spam, that are misconfigured to send the wrong HELO name. Sorry, I'm not going to accept your mail.
  • The "Recipient (local reject)" list of common worm destinations (adam, alex, alice, etc) is still very effective.
  • Relay attempts seem rare. I had expected to see more of these, but on the other hand it still gives me a warm fuzzy feeling when relay attempts are rejected.
  • I had expected the "DATA pipelining" filter to catch more. This happens when an SMTP sender ignores responses from the my server and just fires the commands through as fast as it can without waiting for acknowledgement. Perhaps all those clients happen to be caught earlier by my rejecting a "HELO hewgill.com" command, who knows.
  • There are a lot of different email worms out there! I suspect that many of the previously rejected connections to my mail server would eventually have tried to deliver an email worm. But clamav still does a great job of filtering out that junk.

Even after all this, when my SMTP server rejects over 90% of the connections to it, spamassassin still catches a lot after delivery. I'm going to work on some statistics processing there so I can find out how effective that is.

Finally, I still get an annoying amount of spam landing in my inbox. The war continues.

(1 comment | Leave a comment)

Thursday, November 10th, 2005

interesting email surprise

I received the following message yesterday, and it almost had me fooled:

From: "Jamie" <jamie.andrews@totalbusiness.co.uk>
To: <greg@hewgill.com>
Subject: Photo Approval
Date: Thu, 10 Nov 2005 03:31:07 -0600

Hello,
Your photograph was forwarded to us as part of an article we are publishing for
our December edition of Total Business Monthly.
Can you check over the format and get back to us with your approval or any
changes?
If the picture is not to your liking then please send a preferred one.
We have attached the photo with the article here.
Kind regards,
Jamie Andrews
Editor
www.TotalBusiness.co.uk
**********************************************
The Professional Development Institute
**********************************************

I had received a legitimate message a few days ago from somebody in Germany asking to use one of my pictures in an architectural publication of some kind (I gave them permission). Initially I thought this might be related. Then I noticed the attachment:

[-- Attachment #2: Photo+Article.exe --]
[-- Type: application/octet-stream, Encoding: base64, Size: 13K --]

It's an email virus! Luckily I handle my mail using mutt on freebsd, so it would have been several more steps for me to "open" the attachment, so I didn't run it. It's amazing the lengths to which these virus authors are going to try to trap people.

In related news, I'm still getting fake-rolex spam which spamassassin is still marking as BAYES_50 (which means spamassassin thinks it's middle of the road, no sign of spam). Every one of those damn things I run through sa-learn to teach it, but the people who write those have found that the english language is extremely flexible and there are a million ways to package their sales pitch.

Spam is starting to become overwhelming again. Whatever happened to SPF, anyway?

(14 comments | Leave a comment)

Thursday, August 25th, 2005

adventures in antispam

I'm in the process of changing my main mail server for hewgill.com from my machine at home on my DSL, to my hosted server in Dallas. Currently, the MX record points to my home machine and most of the spam I get goes there. However, the A record for the hewgill.com web site points to my hosted server. Until recently I did not have the hosted server set up to accept mail for hewgill.com, so it would reject anything that happened to make it there.

Last night I changed the Postfix configuration to accept mail for hewgill.com. I knew there was some misdirected mail that made it there, but I had no idea how much. Since last evening (perhaps 15 hours ago), I've received nearly 400 junk messages to that server. This is happening even though there is no MX record at all pointing to that server (for hewgill.com)!

All of it is worm messages of some kind. Evidently there is some flavour of worm that looks up an A record for the domain name, instead of an MX record, when trying to deliver mail. Now, once I move my MX record to point to the hosted server, I won't be able to distinguish that worm mail from real mail anymore.

Now I just need to integrate clamav into Postfix and check for all that junk worm mail with virus attachments at SMTP time.
(1 comment | Leave a comment)

Tuesday, April 26th, 2005

new twist in the fight against spam

It seems that spammers have introduced a new twist on an old tactic. When Paul Graham's A Plan for Spam article introduced Bayesian filtering principles to the antispam world, spammers were quick to react to this new threat. Since their spam was now being scored by full content (and not just naive keyword matching), they started including snippets of legitimate text along with their spam messages. This legitimate text, since it wasn't part of their marketing campaign, was typically displayed in an impossibly small font or in invisible (ie. white on white) colors.

Anyway, I recall seeing text pulled from such works as Moby Dick, Ulysses, and various Shakespeare. It didn't matter what the text was, as long as it didn't look very much like spam. As far as I can tell, there are at least two goals involved here:

  1. With the inclusion of a lot of non-spam text, there would be a slightly higher probability that the message might look a little bit more like a legitimate message, and would then sneak through a slightly higher percentage of spam filters.
  2. Bayesian filters learn patterns from the messages you receive and mark as spam. When you mark a message as spam, each word in the entire message essentially gets a count in the "spam" column. By including a lot of non-spam text, this means that a lot of non-spam words will end up with higher counts in the "spam" column. This has the longer-term effect of decreasing the trustworthiness of the Bayesian filter data, because it may start to mark legitimate messages as spam. If this happens a lot, users may turn off the Bayesian part of the filter.

Recently, several people (cetan, leroy_brown242, Amy) who have journals, have received messages from other Internet users wondering why some of their journal text was included in the spam message. Obviously, the journal authors don't have anything to do with the sending of the spam. It seems that the spammers are now scraping text off the Internet instead of using text from the classics.

Perhaps this approach is intended to more closely match the kind of text that people normally receive in email. Because the text is written by today's Internet users and not 19th century authors, the vocabulary will be better suited to confuse spam filters.

This new technique is surprising and annoying to those users whose text is used in spam. Most recipients of the spam will either not see the message at all, or not see the small/obscured text, or just ignore it. The few who do look at the whole message and google for key words or phrases to find the original author's journal, seem skilled enough at that point to not accuse the user whose journal text was used.

Fortunately, Bayesian filtering techniques are just one weapon in the fight against spam. With blacklists, SPF, virus scanners, and the battery of tests provided by SpamAssassin, I now get, on average, about 5 spam messages in my inbox per day. Since my mail server receives about 1000 spam messages per day, that's less than a 1% miss rate on my spam filters.

(19 comments | Leave a comment)

Friday, November 5th, 2004

gmail thinks I'm a spammer

I've been using gmail for a while now. I have set up procmail rules that forward all my email to my gmail account for easier reading (I like the way gmail lets me read mailing lists and such). What I've noticed for a while now, is that whenever I make a post to a mailing list, my own message ends up in my gmail Spam folder. Every time this happens, I mark it as "Not spam" and move it back out. It doesn't help. I tried some test messages today to my gmail account and other gmail accounts, and each time my email was marked as spam.

Unfortunately, gmail does not provide a way for me to determine why a given message is marked as spam. But I have my own theory...

Recent generations of email worms (such as Netsky and Bagle) send worm messages using email addresses found on the infected computer. These email engines scan through the computer's hard drive looking for various types of files that contain email addresses, and send email worm messages using those addresses in the To and From field. I get a lot of these messages, usually about a thousand per day (slightly less on weekends). Assuming the worms randomly select addresses, I can assume that at least an equivalent number of worm messages are also sent "From" my email address.

The next question is why does my email address appear on so many computers around the world? I believe the answer lies with VNC. Many years ago I contributed some code to the VNC project, and the VNC authors acknowledged my contribution by including my email address in the VNC "history.txt" file. Since VNC is a very popular program, my email address appears in a .txt file on an unknown number of computers on the Internet, where it can be easily picked up and used by email worms.

I have done some analysis of email worm messages I receive, and a significant number of them (around 20%, I don't remember the exact number) have addresses in the From field that also come from VNC-related files. This lends support to my theory.

Connecting the dots, it seems that gmail's systemwide spam filter has identified <greg@hewgill.com> as a sender whose messages should always be marked as spam. It's quite disappointing for me to reach this conclusion.

I have submitted a problem report to gmail, asking whether they can shed any light on this issue. The ideal solution would be to remove my name from their global address filter list, and instead let the filtering happen by content (gmail rejects worm-infected email). The worst case solution is they ignore the problem or just tell me to change my email address (which I don't consider an acceptable solution).

Another disheartening implication here is that other email providers, large or small, might also automatically consider my email messages spam for the same reasons. This would not make me very happy.

(3 comments | Leave a comment)

Friday, September 17th, 2004

ten things that could be journal entries, but aren't

I am borrowing this convenient bullet-point style from [info]lizzbeth1.

1. It has been nearly four weeks since I last went soaring. This weekend, one of the tow planes is back in service but no instructor is scheduled for either saturday or sunday.

2. Some types of computer books (I had some ranging from 4 to 12 years old) sure get worthless quickly. Half Price Books is cool for happily accepting a box of books to recycle.

3. I picked up a radio controlled plane last week. It's fun! I haven't even crashed into anything yet, either. There is a nice park near my house that offers lots of open space.

4. Near the corner of my garage door, there is a wasp nest (wasps are good, so I leave them alone). Recently a spider has decided to build a web directly in front of the wasp nest. I wonder about the sanity of that spider.

5. I have turned off greylisting on my mail server. I think this time it's permanent. I decided that the disadvantage of greylisting (delayed mail delivery, occasional loss of legitimate mail) outweighed the disadvantage of not having it (more spam). I can control the spam volume problem in other ways.

6. I did some cursory analysis of my incoming spam. Of the email that fails SPF filtering (all of which is guaranteed to be forged email), 15% is from greg@hewgill.com; 31% is from various other @hewgill.com addresses; 18% is from email addresses associated in some way with VNC (my email address is in the VNC whats-new file); and the remaining 36% are from other domains.

7. Some international calling cards are a huge scam. I got one that offers a low rate of 1.9 cents per minute to Greece. $10 should get you nearly 9 hours of talk time, right? Well, there's a $1.99 per-call connection charge (that's 104 minutes), plus a $0.59 biweekly fee for just having the card (that's another 31 minutes). I'll be lucky if I get a couple of hours out of it.

8. Mono is really cool. I was able to get SOAP client stuff running in C# on Linux with no problems at all. It just works.

9. I'm trying to renew my ability in French. It has been 17 years since I last took a French course, yet I can still struggle along. I got a French review book and some readers with collections of short stories. I think I should get a dictionary too. Meanwhile, I want to continue learning Spanish, I want to continue taking informal classes in Japanese, and I am continuing to practice Esperanto.

10. [info]nucleartacos last wednesday were very hot. Hottest tacos so far, we figure. Wow.
(11 comments | Leave a comment)

Tuesday, July 13th, 2004

phishing scams

As you may have noticed, I pay careful attention to various kinds of spam and junk email that I get, including phishing scams. There has been a huge increase in phishing scams recently, notably targeted toward Citibank, eBay, and PayPal. They are easy to recognize, usually an unsolicited message from a trusted financial organization asking you to verify a bunch of personal details for some reason or another.

Although my various email filters are pretty good at stopping these before they reach my mailbox, occasionally they slip through. I usually breeze past the usual Citibank/eBay/PayPal ones, often stopping to marvel at how the phishers have become more and more clever in hiding their true intentions.

However, I recently received such a phishing scam purportedly from my own bank. Of course this was just like the others, with "Your account has been suspended" and "...involved with money laundering, illegal drugs, terrorism and various Federal Title 18 violations." But I was surprised to find that my personal reaction to this was much stronger than for the other ones I've received. Some tiny part of my brain was saying something like "what if it IS true?"

I quickly inspected the message and the URL on which it asked me to click actually went to some server in South Korea (although it appeared legitimate on the screen). I received this phishing message several days ago, and the phishing server is still online. Sure enough, going there in a browser produces a web page that exactly replicates the look and feel of my bank's usual login page. Entering login credentials there would post them back to the phishing server, letting somebody else log in to my accounts. Of course I didn't enter any info there.

Anyway, back to my personal reaction to this message. I'm now less surprised that people do fall for these scams, because receiving something from an organization that you trust with your money elicits a very different emotional response than say, a Citibank phishing scam (if you don't actually have a Citibank account). It was alarming, yet I knew it was fake. I did log in to my real bank account to make sure that they really didn't lock me out of my account.

I checked with my bank's web site and they already have this particular email listed as an example of a fake phishing message. However, since the phishing server is still online after 5 days, I submitted a report giving details of the compromised server.
(1 comment | Leave a comment)

Wednesday, March 24th, 2004

beating back the demons

I've noticed a significant increase in worm related email traffic over the last couple of days, apparently related to the "netsky" variant this time (though it's getting harder to tell all the different variants apart). Overnight last night I received nearly 400 new worm-related email messages, all of which successfully passed through qgreylist, spamassassin, and some custom filters that worked for mydoom.

In looking at the incoming messages, I noticed something odd about the HELO command that was used. Normally in an SMTP transaction, the first command that the sending mail server sends to the receiver is something like "HELO example.com", which means the sender is responsible for sending messages from example.com. This HELO name isn't actually used during the delivery of the messages, but is just sort of a polite introduction.

What I noticed was that in most of these worm messages, the sender was using the command "HELO hewgill.com". This is backwards, it should be using the domain name of the sender, not the recipient. So I can be sure that if the sender uses my domain name in HELO, then it is not a legitimate message. By using the following procmail rule:

* ^Received:.*(HELO hewgill.com)

a huge number of worm messages have been caught. In just the last 2.5 hours, 181 messages have been blocked and 33 got through. Of those that got through, virtually all of them are bounce messages from other mail servers, where a message to somebody@example.com with my name forged in the From field, was returned to me as undeliverable. These types of messages, since they are sent by legitimate functional mail servers, have correct HELO commands and are not recognized by this filter.

Unfortunately, the latest variants of these email worms no longer seem to have automatic built-in expiration dates (as reported by mcafee or symantec), like the sobig family did. We can therefore expect to be plagued by these for some time to come.

Finally, this would be a good time to remind everybody who is responsible for any email operations to adopt Sender Policy Framework and publish SPF records. Doing so will help reduce the ability for worms to forge email addresses from your domain, and using SPF filtering against incoming messages will help you reject messages with forged From addresses.

(2 comments | Leave a comment)

Tuesday, February 3rd, 2004

mydoom gets around

I subscribed to a couple of mailing lists at http://www.us-cert.gov today. This involved writing an email message to majordomo at their site, and then replying to a confirmation message they send to you. Because I have greylisting set up, I had expected to wait a while before receiving the first confirmation message. However, to my surprise I received the confirmation message almost right away! That meant that the mail server at CERT had already contacted mine sometime within the last five days.

I began to think how ironic it would be to have received a Mydoom message from CERT themselves, and if they had an infected computer there. I quickly scanned through mail logs looking for their IP address, and sure enough I found that their server had sent me a message early monday morning.

I did find it, but it turned out to be fairly unexciting. Some other computer out there on the internet somewhere had forged a Mydoom message from <brenda@hewgill.com> to <majordomo@us-cert.gov>, and their mail server dutifully responded back to brenda with a confirmation message. I don't have that confirmation message anymore (I've been deleting a lot of mail lately), but it would have been interesting to see where it came from in the first place.

Oh, how I was hoping to see something fun like an original Mydoom message from CERT.
(1 comment | Leave a comment)

mydoom update

Well I finally got around to configuring my mail server to send all mail addressed to Mydoom's set of 47 forged addresses, straight to the bit bucket.

Since sometime last night, I received 1415 incoming messages that were detected by my Mydoom filter and sent off to a specific folder. Only 183 of those were directly addressed to <greg@hewgill.com>, the rest were to addresses such as <ted@hewgill.com>, <maria@hewgill.com>, etc., which don't exist and were therefore sent to my own mailbox.

In the last two minutes my mail server has received 10 messages for linda, brent, jose, jack, ted, anna, michael, dave, serg, and sandra.

After having some trouble with my greylisting implementation over the weekend, I've turned it back on and the Mydoom activity may be subsiding. It might be too early to tell for sure though.

The conclusion for this morning is that delivering all misaddressed mail to your own mailbox amplifies the Mydoom problem significantly. (Yes, that's obvious. It's early, give me a break.)
(3 comments | Leave a comment)

Wednesday, January 28th, 2004

VIRUS (W32/Mydoom@MM) IN MAIL FROM YOU

The title of this post represents only some of what's wrong with email virus detection today. Obviously this virus checker (I don't know which it is) has been updated to identify W32/Mydoom@MM, but is not smart enough to realize that the name in the From field is not the actual sender. The return message admonishes me to "Please check your system for viruses." Well, I can assure you my system is not affected, I'm running FreeBSD. Please, vendors of email virus checkers: Quit sending crap to the unrelated third party in the From field!

I am getting thousands of Mydoom messages per day now. Curiously, not all of them are addressed directly to me. I have the hewgill.com domain set up to route to me, any message that is not addressed to any existing account. This worm is also sending to the following addresses:

adam alex alice andrew anna bill bob brenda brent brian claudia dan dave david debby fred george helen jack james jane jerry jim jimmy joe john jose julie kevin leo linda maria mary matt michael mike peter ray robert sam sandra serg smith stan steve ted tom

My theory is this: It grabs the <greg@hewgill.com> address from an infected machine. Probably via somebody who has visited my web site (my email address is listed on my web site), or is running xearth or the threat monitor (my email address is listed in the installed documentation). Then it bombards <greg@hewgill.com> with the worm, plus it uses the above account names to generate new addresses such as <adam@hewgill.com>, <alex@hewgill.com>, and so on.

When an unknown recipient is found, most mail servers will send back a bounce message to the purported sender, claiming that the sender sent a message to an account that doesn't exist at the destination. For example, picking one at random, apparently <matt@hewgill.com> tried to send a message to <joe@worldpay.com>. Joe doesn't exist there, so a bounce message is sent back to Matt. Matt doesn't exist either, so the bounce message ends up in my mailbox.

I don't know anybody who is getting quite as hammered as me with this one. My friends are sometimes getting one or two, often none at all. Whatever Mydoom does to collect email addresses, mine is a high visibility target.

I am currently using the following procmail rule to detect Mydoom messages:
:0B
* ----=_NextPart_..._...._........\........[^0]
The reason this works is that Mydoom attempts to construct an email message that looks exactly like it came from Outlook Express. It does a pretty good job, except for one little detail. Messages created by Outlook Express appear to always have a '0' at the end of the MIME boundary line. For example, an Outlook Express MIME boundary line might look like: ----=_NextPart_000_016B_01BFC670.696FBAB0. Most of the digits in there are randomly generated, except the last one. I don't know why this is, but it works to our advantage. The above regex matches MIME boundary lines that fit the above pattern, but that have a digit other than '0' as the last character. The Mydoom worm appears to generate MIME boundary lines with a random last digit. This is not perfect because sometimes Mydoom will use a '0' as the last character, but it's working okay so far. I may have to add additional checks, because a sixteenth of thousands per day is still a heck of a lot of email.

This worm walks straight through greylisting. Symantec's report says that the worm attempts to send mail using its internal SMTP sender, but if that fails then it passes the message off to a "local mail server". Presumably the local mail server will retry correctly, and therefore greylisting will let the message through. See my greylisting status graphs to get an idea of the scale of the problem here. The green area indicates the number of distinct hosts that have successfully sent me email within the prior ten days. The blue line is the number that have only tried once within the prior six hours. About half the hosts that have sent me mail, have sent more than one message, and the current record is 186 from a single host.

I'm going to have to do some more effective filtering soon, I think. Two more weeks (Mydoom is supposed to shut itself off on February 12) of dealing with a clogged mailbox is going to make me very grumpy.
(4 comments | Leave a comment)

Tuesday, January 27th, 2004

another new email worm

Looks like we're in for another round of an email worm. I last wrote about sobig.f when it ended back in September. This new one appears to have been named W32/Mydoom@MM.

So far today I've received over 500 copies of this worm. It has a typical default spamassassin score of 3.0, which is well under the default 5.0 threshold. Those sent with a randomly selected subject line of "Hello" score an extra 2.5 points with spamassassin, pushing them over the threshold. Greylisting appears to have little effect for me, possibly because I'm using a simplified implementation called qgreylist that will more readily let a sender through if they happen to be sending to multiple recipients at a domain.

This worm spreads by claiming to have been sent "as a binary attachment" for some technical-sounding but bogus reason. Susceptible users will open the attachment, which may be inside a zip file, and unwittingly execute the worm code. Once it's executed, it copies itself to various places on your hard drive and injects itself into the startup sequence.

As usual, mydoom sends messages with randomly collected From and To addresses, so if you receive one of these, the person listed in the From field is unrelated to the person whose computer sent you the message. Furthermore, if the email address in the To field does not exist (which is common for this worm because it randomly constructs new email addresses on the fly), the user at the From address will receive a bounce message claiming that they sent a virus.

I've been looking for something unique about the worm emails that I can use to construct a filter to identify them. I thought I had something workable, but realized that the worm messages are carefully crafted to look exactly like a message created by Outlook Express. Even messages from my dad would have triggered the filter I was working on. So, back to the drawing board. I'm working on a different filter now.

Symantec's report (they call this worm W32.Novarg.A@mm) claims that the worm will automatically stop spreading on February 12, 2004. There is no mention of any attempt at time synchronization like there was with the sobig variants, so it is possible that this may continue to propagate from computers with misconfigured clocks beyond its built-in termination date.

Email will be useless tomorrow for a lot of people out there, I think.
(Leave a comment)

Sunday, November 30th, 2003

greylisting, day 14

About two weeks ago I implemented the anti-spam technique known as greylisting on my mail server. The results have been astounding in their success.

Greylisting relies on passively verifying the behaviour of the sending SMTP server. The first time an incoming connection is made from an unknown server, the delivery is rejected with a temporary failure error message. This temporary failure message causes a normal sending server to try again later, but it seems that a typical high-volume message sender used to send bulk mail will not bother trying again. If the message delivery is attempted a second time, the greylist filter lets the message through, concluding that the sender is legitimate. Subsequent messages from the same sender are then let through on the first try in order to avoid unnecessarily delaying mail. Messages that are sent once and never retried never make it through the filter.

I have been keeping a history of messages caught by various spam filters. The "spam" line is spamassassin, the black line is the spamcop DNS-based blacklist, and the others are custom filters for specific kinds of email worms. Since implementing greylisting, the amount of spam that enters my mail system has been reduced by about 95%.

I also have some graphs of greylisting status, which report the counts of senders in the greylisting database. The green indicates the current number of legitimate senders seen within the last 10 days. The blue line indicates the current number of senders that have only tried once within the last six hours. Multiplying this value by 4 gives approximately the number of message blocked in the last 24 hours, which matches well with the 200 to 300 spam messages previously caught by my existing filters.

I have been watching mail logs pretty carefully and have not noticed any messages that should have been accepted but weren't. Some others who have experimented with this technique have noticed some messages were blocked that shouldn't have been.

For reference, I'm using the qgreylist implementation along with qmail. This implementation differs from the original greylisting paper by only considering the sending server IP address (instead of the ip/sender/recipient triplet) when making the decision to accept or reject an incoming message. This is much simpler and appears to be sufficient to block the vast majority of bulk mail.
(2 comments | Leave a comment)

Wednesday, September 10th, 2003

sobig.f

Well it looks like the sobig.f email worm has successfully shut itself down on schedule (it was designed to quit propagating itself on Sep 10). It was active for approximately 21 days. During that time, I received about 80,000 individual messages sent by sobig-infected computers, at approximately 100kB each. That is a total volume of about 8 gigabytes. That is a sustained average bandwidth of about 35 kbits/sec.

I have some graphs that break down the various kinds of spam I receive. Everything else has been dwarfed by sobig for the last three weeks.

A few days after it started, I added some logging to my incoming mail, to keep track of the source of the messages. This logging covers the latest 50,000 or so messages. The top prize goes to 66.0.87.51 which sent me 2,521 individual messages. There were only 2008 different ip addresses which sent me sobig messages. The top 45 ip addresses were responsible for half of the traffic.

The most annoying part of the sobig worm is not the bandwidth usage, though. The worst part is dealing with the hundreds of messages generated by automated "virus" checker email gateways. Several times a day I would manually delete dozens of messages generated by mail gateways that identified a sobig.f message and assumed that my computer was infected because my name was in the From header (sobig.f sends messages with random To and From headers pulled from the Internet Explorer cache of html pages, among other places). I didn't explicitly count these messages, but I estimate approximately 2,000 arrived.

I believe I only received one human response to a sobig message:

From: K Fick <xxxxx@yahoo.com>
Subject: DO NOT SEND ANYMORE MAIL TO THIS ADDRESS AND TAKE ME OFF MAILING LIST!!!Re: Approved


I wonder how many of these responses K Fick wrote before getting tired of it.

It would be really nice if the anti-virus email gateways would avoid sending alarming messages to the purported sender of sobig-generated email. This practice probably exacerbated the problem because lots of people who were not infected with sobig.f (or for technical reasons could not be) received authoritative-sounding messages saying they were. Of course, the anti-virus companies probably love doing this because it drums up interest in their product. But it's really annoying to receive the same anti-virus bounce message dozens of times a day. Apparently sobig isn't very creative and often sends the same messages over and over and over.

Anyway, it's good to have some respite from the flood of junk the sobig worm has generated. I'm sure it's only temporary though; sobig.a through sobig.e were much less effective. Sobig.f raised the bar. I'm expecting sobig.g to be even worse.
(7 comments | Leave a comment)