Tech Bitch

Security boffins at SoftScan whispered into my ears this morning. Instead of sweet nothings they said that spam levels have remained steady, accounting for 96.47% of all e-mail scanned by their infallible servers. What a disappointment!

However, some eagle-eyed white costs noted in the last couple of weeks subtle changes to the delivery and format of ‘bulk mail’ spam, which may indicate that spam levels will increase once again in the near future.

The change is in messages sent out in vast quantities apparently by the same few providers. Similarities observed in the past in the technical makeup of the messages have led SoftScan to conclude that these messages are written on templates specifically designed to have maximum effect on bypassing anti-spam filters.

“It’s too early yet to be absolutely certain, but a change in the template indicates that the spammers are trying out new tactics, which is normally a precursor to a larger blitz of spam,” comment Diego d’Ambra, CTO of SoftScan.

“Junk mail from these few providers seems to come in waves and from the distribution you can see that there are some very successful spammers that cover a large part of the market. In addition, we’ve also seen a change in the delivery of these messages. This may mean that the botnets have been recruiting significant numbers of new zombies or that the spammers are trying to find new ways to bypass blacklist technology.”

Virus levels remained typically low during the month accounting for just 0.09% of all e-mail scanned. The top five virus families in February were:

1. Phishing (85.92%)

2. Dropper (7.07%)

3. Diehard (2.14%)

4. Netsky (1.37%)

5. Downloader (0.97%)

Adding another trick to their toolkit, spammers are now abusing the ‘out of office’ feature of Web-based e-mail services to relay their junk messages into the inboxes of unsuspecting Internet users. I can’t believe it has taken so long. Anti-virus boffins have recently seen several instances where spammers set up Web-based e-mail accounts and configure auto responders with spammy messages. The miscreants then sent e-mail with fake ‘from’ addresses - the spam targets - to their newly created Web-mail accounts. The ‘from’ addresses subsequently receive the spammy ‘out of office’ notices.

This may sound like a convoluted way to send spam, but spammers do it to trick spam filters. An automatic reply from a well-known Web-based e-mail service will look legitimate to many spam filtering tools. Unlike spam sent by botnets, the auto reply spam will have a legitimate sender and will be signed with the correct signatures used to sign e-mail messages, such as DKIM, DomainKey or Sender ID.

One spammer seen using this technique is advertising an adult Web site - no surprises here! The auto-responder spam does not look like a typical out of office reply. The message subject does always contain ‘Re:’ because that’s added by the Web mail service, but the spammer controls the rest of the subject line and the message body text. In the examples a popular anti-virus manufacturer could only determine that the mail is an auto responder by carefully looking at the e-mail headers.

I suspect the spammer has a program that automatically creates accounts and sets the responder text, all with no manual work required. This gives the spammer the capability to have lots of Web-mail accounts, all used to spam lots of people. All is not lost: the spam should be blocked by a decent anti-spam product through a combination of header and message content checks.