Monthly Archives: January 2007

Spammers Mimicing Legitimate Newsletters

Spammers, always adding to their bag of thug tools, have begun sending spam disguished as legitimate newsletters. To date, the fake newsletters have not accounted for large volumes of spam, but the practice is disturbing because:

1) Recipients might be more likely to open the messages, and,

2) spoofed newsletters might be penalized in any number of ways.

Digg! Add to Technorati Favorites  Save This Page

Update on Storm Worm

The Storm message has morphed into over 250 variants.

A wide variety of subject lines are being used in the spam campaign, including “You’re so Far Away”, “I Dream of you”, “Dream Date Coupon”, “Together You and I”, “A Bouquet of Love”, “So in Love” and “Cuddle Up”. Attached to the emails are files called ‘flash postcard.exe’ or ‘greetingcard.exe’. When opened, the worm attempts to send itself to other email addresses found on the recipient’s PC, while also attempting to download further malicious code from the internet, designed to take over the computer and use it to send spam on behalf of hacking gangs.

Digg! Add to Technorati Favorites  Save This Page

Father of the Internet Warns that Botnets Pose Grave Danger to Internet

Vint Cerf, “father of the internet,” warned attendees at the world economic forum that botnets could undermine the future of the internet. Cerf estimates that 25% of all PCs currently connected to the internet (about 150 Million) are infected with trojans.

 We have been watching the growth of the Botnet closely over the past several years, and have seen it grow in size and sophistication. One particular Botnet, dubbed Spam Thru, is particulalry sophisticated. It clears other trojans off of computers it has infected and is designed to avoid detection and removal.

Cyber Thugs use Botnets to send spam, steal data and launch denial of service attacks. Essentially, the botnet is a free, illegal, criminal distributed computing network.

Digg! Add to Technorati Favorites  Save This Page

LBL Update

MxToolBox provides free email blacklist lookups and monitoring (RBL or DNSBLs)as a free service to the public.  We do not endorse any of these blacklists or even recommend them as reliable information to block spam and viruses in inbound emails.


However, many email administrators do choose to use these lists to block emails.  We make as many lists as possible available on our lookup tool to provide as much information as possible to those that are listed and, subsequently, rejected.  We leave the interpretation of the results up to the professional opinion of the user. 


The LBL list recently went offline, returning positive results for any lookup. MxToolBox will remove this list from our tool at 5:00pm Central Time on 1/25/2007.  The reason for the delay is that in our professional opinion, the result is still valid.


It is still valid because email is still being rejected by some servers because of this listing, and that is what our tool is intended to help diagnose.  Not all servers specify the reason that an email was rejected, so not all bounce messages may be useful in pointing to the source of the problem. 


Anyone using LBL to reject inbound email should obviously stop using it immediately.  This would also be an excellent time to review ALL lists you are using to reject emails.  If you don’t specifically know what a list represents and believe in the quality of the information, you should remove those lists as well.


Anyone listed on LBL (this is YOU, because EVERYONE is listed), should not worry.  You only need to take action if you have emails blocked.  In that case, you should contact the system administrator of the receiving email server and point them in the right direction.

LBL Blacklist Mysteriously Resurfaces

We have been flooded with calls and emails this morning regarding the LBL Blacklist. A large range of users–from self hosted to ISP hosted–have reported being listed on LBL and, subsequently, having their mail blocked. The website, however, seems to be defunct. Users are seeing two different messages:





LBL was terminated MAR 2004. Stop using it.
Return codes were:







Wildcard to added 23 JAN 2007
Return codes were:



Today is the first time we have seen IP Addresses blocked by LBL. We are working to understand the problem and will post updates here. We have had some people ask us to remove LBL from our lookup tool. At this time, we are leaving it up because: a) the fact that it is on our tool is not at all related to the fact that IP Addresses are being blocked, and b) if it is on our tool, then at least users will be able to see what is causing the problem.


Check back for updates… 

Storm Worm Trojan Horse Spreading Fast

An email worm with the subject lines “230 dead as storm batters Europe,” “U.S. Secretary of State Condoleezza,” and “A killer at 11, he’s free at 21”  has spread rapidly across Europe yesterday and today.

Storm Worm is a Trojan horse with an executable file as an attachment. Cybercriminals took advantage of social engineering, using the news of the European storm to get people to open the attached malicious file, which promises more news on the weather emergency. The recipient must open the file for it to execute.

The file creates a back door to a computer that can be exploited later to steal data or to use the computer to post spam.