On the off chance that someone on this board has ANY say in how email filtering is implemented, let me give you a few tips: If my email is myname@ZZZ.com, then NO EMAIL that is received from domain ZZZ.com … via The Design of Software
Read More… (From Email Spam News)
-
Categories
-
Archives
-
Links
Introducing a unique
way of killing spam: SpamShootout! Available exclusively in:
E-mail Client for Windows Download Free Trial
(POP3/SMTP/SSL)
View Demo
Screenshots
Features
-
Admin
12 Jul
Yoggie, Yoggie, Yoggie
This week’s column in the Journal (subscription only, I’m afraid) is about something called theYoggie: This small computer is called the Yoggie Pico, launched May 29 by an Israeli company called Yoggie Security Systems. The idea is that you should…
Read More… (From loose wire blog)
This year’s edition of the World Information Society Report 2007 notes that growth in the globalInformation Society is not without risks and the Report examines the potential pitfalls of growth in the rise of online […]
Read More… (From The War on Spam)
Today is a special day at Microsoft, it is the three-year anniversary of the day I joined Frontbridge (now Microsoft Exchange Hosted Services) as a spam analyst. Ah, what a memorable three years it has been.
On our first day on the job, me and three others (the Fantastic Four) went down to Los Angeles for four weeks of training. We met the other lone spam analyst and we spent the next two weeks learning about spam and how to fight it and then the subsequent two weeks doing that over and over again before returning north to Canada.
I have processed a lot of spam in my time but for the first two years my main focus was false positives. I used to process about 90% of the FPs we saw and I became incredibly good at predicting which spam rules were going to perform well in the field and which ones were not. In those days, our spam team’s primary tricks of the trade were writing regular expression spam rules on the contents of the email message. I would process all of the false positives and then go on to spam. Whenever I came across a legitimate false positive (which wasn’t often) I could often look at the message and predict what part of the message was tagged as spam by our spam rules.
Some time passed and we added on another spam filtering service (component) which was automated. I was responsible for setting up the false positive process, and I became good at predicting what FPs were caused by this new component and which ones were caused by our spam rules. Time passed but the spam stayed the same. In those days, pornographic spam was one of the most common types of spam and obfuscation of words was the preferred filter-evasion technique. We saw image spam back then, but it always was embedded in a link.
In 2005, we continued to process spam but we started seeing some more foreign stuff (due to our customer base). Still, not much changed. We saw stock spam, pharmacy spam, 419s, and so forth. All the while I was still handling false positives.
In summer 2006, we saw a sudden shift in spam tactics. Image spam hit our networks. I had seen image spam before, spammers sometimes used it in their CAN-SPAM boilerplates in the footers of their messages. But, this was a new tactic for which we were ill-prepared. Spammers were inserting gif and jpg images into their spam messages and delivering mail that way. At the time, there was a new outbreak every week and I was working six days a week trying to handle all of this stuff. However, time passed, we got some new features implemented and the image spam problem started to drastically reduce. My own personal image spam rules have blocked over a billion messages since they were implemented back in September.
Time passed and 2007 has rolled around. There’s a new breed of spam floating around, pdf spam and “gift-card” spam (which isn’t new, but the payload to a virus is). I don’t process much spam anymore these days, but I still troll through our various inboxes to get a feel for what’s going on. Now, I am a Program Manager of (anti) spam effectiveness, which means I am in charge of collecting various measurements on our networks. Furthermore, the scope of my duties has greatly expanded in the past three months so now I have a great deal of influence into driving and defining new antispam features. In my opinion, this is a very natural progression because I felt that as a rule writer / spam analyst, I was getting close to the end of how far I could go and the logical next step was to move beyond spam rules. I had to become familiar with a whole variety of anti-spam techniques. This is not to say that we did not have techniques other than spam rules (far from it), but now I have a great deal of influence of reshaping the process of how we do it.
So, it’s been an interesting three years. Hopefully the next three are just as interesting.
Categories: Patch Watch , Hackers , Zero-day attacks , Apple , Microsoft , Windows Vista , Browsers , Rootkits , Vulnerability research , Responsible disclosure , Spam and Phishing , Spyware and Adware , … via ZDNet Blogs
Read More… (From Email Spam News)
I love an AP story in a recent IHT about Le Hien Duc, a gray-haired 75-year-old grandmother who has become the scourge of corrupt officials in Vietnam. But it was one sentence towards the end of the piece that caught…
Read More… (From loose wire blog)
12 Jul
PDF spam on the increase
“I’m interested to see how far this will go, as some may start to use some of the more advanced functions of Adobe to place beacons and other tracking mechanisms that have become limited in the past years”
Security vendors and users agree that image spam is finally on the decline, but at the same time a new kind of spam is emerging that uses an attached PDF file to trick recipients into buying stock in a company. via Digit Magazine
Read More… (From Email Spam News)
REDWOOD CITY, Calif. — – Tumbleweed Communications Corp. : WHO: Tumbleweed Communications -Joseph Fisher, Vice President of Product Management at Tumbleweed Communications -Willy Leichter, Director of Product … via Customer Interaction Solutions
Read More… (From Email Spam News)
Lets tie up a couple of loose ends (but by no means all the loose ends) when it comes to SPF. I would like to interpret the below SPF record:
v=spf1 a/24 mx/24 ptr ?all
Now that we are experts in SPF syntax, reading this is a snap. The version of SPF is 1.0, return a pass if the transmitting IP is in the same /24 net block as the domains A-record, or if the transmitting IP is in the same /24 net block as the domains mx record. Also, return a pass if any of the A-records for the hostnames are the same as the transmitting IP, or if a valid hostname ends in the same domain as the sender. If no match is made, fall back to SPF Neutral.
Does any of this sound familiar? It should, because its the almost the same algorithm that Gmail uses in their Best-Guess SPF. Recall that best guess matches on one of the following:
1.If the mx-record or A-record is in the same range, return a pass. This is the same as a/24 mx/24, except that Gmail is more restrictive by requiring an exact match rather than looking at a range.
2.If the reverse DNS matches the domain of the sending IP, return a pass. This is the same as the ptr mechanism.
Gmails other technique, PTR zone, is somewhat similar but not analogous. So, Gmail is implementing a modified form of SPF in an attempt to authenticate IPs.
Secondly, a question naturally arises about whether or not SPF can protect against spoofing the message From address, ie, the From address in the message headers.
The answer is that it does not, at least the way SPF was designed. Its supposed to work on the envelope sender, the MAIL FROM in the SMTP command. The technical issues associated with protecting the “From:” header are more complicated.
In order to use the “From:” header as the subject of authentication with SPF, we need to be familiar with the following:
- mailing lists
- /etc/aliases-style forwarding
- MUA “resend this message to”
- web-generated email
- the Sender header
- the Resent-Sender and Resent-From headers
Looking at protection of the From: header will be the subject of the next few authentication posts when we take a look at SenderID.
Read More… (From Terry Zink’s Anti-spam Blog)
12 Jul
hard on Goodmail
“AT&T to ID Offshore Web Pirates”, actually said only that “the effort is primarily aimed at pirates who set up operations in other countries”
Bennett Haselton has written in with his latest report. He starts “Goodmail has announced partnerships with four new ISPs who will charge for “reliable” delivery of your e-mail messages if you want to bypass … via Slashdot
Read More… (From Email Spam News)
“We’re pleased to engage with IceWEB in co-marketing our uniquely powerful solution that offers customers significant value by enabling them to dramatically reduce spam volumes, lower bandwidth expenditures, and reduce overall infrastructure costs.”
IceWEB Inc., www.iceWEB.com announced that the company has launched a joint marketing initiative with F5 Networks, which is designed to increase market awareness and sales of F5’s Message Security Module for … via Customer Interaction Solutions
Read More… (From Email Spam News)
