Google has announced a plan to acquire on-demand web security firm Postini for $625m cash. via The Register
Read More… (From Email Spam News)

“Network and IT security play an essential role in ensuring the confidentiality of business transactions and in protecting an organization’s reputation and will therefore be an important theme at Gitex Technology Week”

Bahrain is expected to be one of the top five investors as spending on information technology in the region hits more than $9 billion by 2009. via Iran Daily
Read More… (From Email Spam News)

American spammers resurgent

The US was top of the spam charts for the month of June, according to new e-mail security statistics from IE Internet.
Read More… (From The Register - Security: Spam)

As image spam continues its decline, the July State of Spam Report highlights more new techniques for delivering spam images, including PDF spam. This is spam that contains no real text in the body of the message (although it may contain word salad), but that has a PDF attachment. When opened, the PDF file is an ad or some other spam message.The PDF attachments result in messages that are very large in size. We have been monitoring this throughout the past month, but it has really heated up this past week. So far, we have observed over 25 million messages that were categorized as PDF spam. We have seen a few different variants of this type of spam type thus far. The first one is the newsletter variant, in which a PDF attachment is made to resemble a legitimate newsletter. The second variant is one in which the PDF attachment resembles the more familiar images of a pump and dump stock operation. Samples of both can be seen in the July State of Spam Report. The most prevalent type of PDF spam that was detected in the month of June was pump and dump stock spam. Once open, the PDF file displays an image of a stock symbol and some text indicating it”s the one to buy. The image has many of the same obfuscation techniques seen in past pump and dump stock spam; color variations, font variations and pixilation. One example of PDF pump-and-dump spam that we have seen over the past couple of weeks is German stock spam. This particular spam comes in the format of a PDF; however, instead of an obfuscated image, the PDF is formatted to more closely resemble a newsletter and is specifically hyping German stocks.Also seen in June was a rise in scam, fraud, and phishing attacks. Some of the phishing attacks included malware attached to email and/or linked within the email. One attack actually used the PDF technique that was described above. It claimed to come from a bank and not only contained attachments “with personal account access and authorization” but also had a .exe file that delivered a virus.Another phishing attack that was seen claimed to come from the IRS. It too contained malicious code, the Backdoor.Robofo virus. We also observed a spoof of the Microsoft Security Bulletin claiming to come from Microsoft that contained details about a vulnerability and provided a link to where an update can be downloaded. This link is spoofed and clicking it will begin a malware download onto your computer. Samples of these can also be found in the July State of Spam report.Other spam trends noted for the month of June were:- Father”s Day spam that peddled the usual “Dad” items such as golf clubs, cards and cigars;
- Directory harvest attacks (DHA) that took a more simplified approach to gathering legitimate email addresses;
- An attack offering free money to start a business merely by calling a phone number; and,
- Emails with subject lines regarding current affairs, as well as and bodies peddling medical spam.This month”s regional spotlight highlights the Asia/Pacific/Japan region. This section shows the breakdown of spam categories for the region. The regional categories correspond relatively the same to percentages seen in global categories. It also highlights notable spam attacks, including one that incorporates famous names in email subject lines to lure recipients to open them.You can read about these trends and sample attacks in Symantec”s newest State of Spam report.

Read More… (From Security Response Weblog)

Head of webspam for 6 years Matt Cutts responds to an Information Week article byThomas Claburn asking if Google’s spam fight is a sham. via Things That … Make You Go Hmm
Read More… (From Email Spam News)

Blacklists have their place for detecting and identifying malicious content and activity, with the whole signature-based malware detection industry effectively being built around the concept that blacklists are … via The Register
Read More… (From Email Spam News)

Syngress was kind enough to allow me to post the chapter I wrote for Botnets: The Killer Web Application here as a free sample.It is the third chapter in the book, and requires some prior knowledge of what a botnet C&C (command and control) is. It is basic, short, and to my belief covers quite […]
Read More… (From SecuriTeam Blogs)

American spammers resurgentThe US was top of the spam charts for the month of June, according to new e-mail security statistics from IE Internet.Original post by Dougal and software by Elliott Back
Read More… (From The War on Spam)

Moving onwards to mechanisms, let’s take a look at them in a bit more detail. Again, this information comes straight from the OpenSPF page, with extra commentary by me. The all mechanism all This mechanism always matches. It usually goes at the end of the SPF record.

Example 1 v=spf1 mx -all Allow the domain’s MXes to send mail for the domain, prohibit all others. Reading the syntax from left to right, the version of SPF is 1.0, return a pass if the sending IP is in the MX records for the domain, return a Fail on everything else. Note that the implied syntax is the following: v=spf1 +mx -all
Example 2 v=spf1 -all The domain sends no mail at all. Read left to right, the version of SPF is 1.0, return a Fail on everything (ie, if any IP has this domain name in the envelope sender, return a Hard Fail).
Example 3 v=spf1 +all A record like this defeats the purpose of SPF. To interpret it, the version of SPF is 1.0, return a pass on everything. If you are returning a pass on everything, it means that whatever IP is sending mail for your domain, you say that’s okay. That means any IP can forge your domain.

The ip4 mechanism 
ip4:<ip4-address>ip4:<ip4-network>/<prefix-length>

The argument to the “ip4:” mechanism is an IPv4 network range. If no prefix-length is given, /32 is assumed (singling out an individual host address). This is one of the easier records to interpret.

Example 1"v=spf1 ip4:192.168.0.1/16 -all"Allow any IP address between 192.168.0.1 and 192.168.255.255. If the transmitting IP is not within this range, return a Hard Fail.

The ip6 mechanism
ip6:<ip6-address>ip6:<ip6-network>/<prefix-length>

The argument to the “ip6:” mechanism is an IPv6 network range. If no prefix-length is given, /128 is assumed (singling out an individual host address).

Example 1"v=spf1 ip6:1080::8:800:200C:417A/96 -all"Allow any IPv6 address between 1080::8:800:0000:0000 and 1080::8:800:FFFF:FFFF.
Example 2"v=spf1 ip6:1080::8:800:68.0.3.1/96 -all"Allow any IPv6 address between 1080::8:800:0000:0000 and 1080::8:800:FFFF:FFFF.

The a mechanism
aa/<prefix-length>a:<domain>a:<domain>/<prefix-length>

All the A records for the domain are tested. If the client IP is found among them, this mechanism matches.If domain is not specified, the current-domain is used.The A records have to match the client IP exactly, unless a prefix-length is provided, in which case each IP address returned by the A lookup will be expanded to its corresponding CIDR prefix, and the client IP will be sought within that subnet.

Example 1

v=spf1 a -allLookup the A-record of the current domain. If it matches the transmitting IP, return a Pass. If not, return a Fail.
Example 2v=spf1 a:example.com -allLookup the A-record of example.com. If it matches the transmitting IP, return a Pass. If not, return a Fail.
Example 3v=spf1 a:mailers.example.com -allExample.com has explicitly listed all of its outbound mailers in a special A-record under mailers.example.com. Lookup the A-record for mailers.example.com, and if the transmitting IP is found amoung them, return a Pass. If it is not, return a Fail.
Example 4v=spf1 a/24 a:offsite.example.com/24 -allThis SPF record lists two possible mailers, a/24 and a:offsite.example.com/24. Lookup the A-record of teh current domain and assume that it resolves to 192.0.2.1; the entire class C of 192.0.2.0/24 would be searched for the client IP. Similarly, assume that the A-record for offsite.example.com is 192.0.3.1. It would be expanded to 192.0.3.0/24 and would be searched for transmitting IP. If more than one A record were returned for the domain, each one would be expanded to a CIDR subnet.

If not match was no found, a Fail would be returned.

In my next post, we will get to the mx, ptr, exists and include mechanisms. Then, we will take a look at some real-life SPF records.
Read More… (From Terry Zink’s Anti-spam Blog)

A lot of people ask me whether they shouldblog. Usually I give them the stock answer: blog because you’ve got something to say,because you feel you’ve got to write, and because you want to connect toother people on the same…
Read More… (From loose wire blog)

The proprietary BrandShield dashboard enables advertisers, publishers and list owners to monitor and manage compliance, preventing potential delays and other mailing challenges. via Affiliate Program Tip Blog
Read More… (From Email Spam News)