Monthly Archives: December 2008

Spam Protection You Can Trust

When you use email services from MxToolBox, you get the piece of mind of knowing that your email is protected from spam attacks by our team of technology experts. We use the best anti-spam tools available to keep your email and computer safe.

However, sometimes a loophole can be created that lets spam through. These loopholes can be a big problem.  Fortunately, MxToolBox can help you remove one of the biggest loopholes: the exploitation of the whitelist.

As many people have experienced, sometimes you will receive email from a spammer who uses a familiar email address to get you to open their message. Spammers know that people are expecting mail from places like Sears and JC Penny and the spammer will use people?s trust to get to them using false addresses. This is called spoofing and can cause you all sorts of headaches.

The spam protection you get with MxToolBox will stop this spam from reaching your computer so that you only get legitimate email from these companies. They have the use of a variety of anti-spam technologies that is able to recognize a message from a legitimate company and one that is from a spam site.

However, one of the loopholes spammers can use is created when a personal whitelist is used by the computer user. Many email programs will allow the user to whitelist an email address or a domain name which allows all the email that has been whitelisted to get straight through to the computer. This can open the door to the Whitelist Exploit.

When an email address or a domain name is whitelisted, which means that ANY message from that email address or that domain name goes to the computer and not through a spam filter safety net. Because of this, spammers will use domain names of popular stores figuring that some of the people will have whitelisted these domains and their spam will get through.

Another popular spamming technique is for the spammer to send an email to a user using their own personal email address. Because a person with the right skills can change their outgoing email address to anything they want, spammers can create a computer program that will send messages to any name imaginable at every email server imaginable and they will be successful every time someone has whitelisted their own email address.

An email program?s spam filter will not catch this because to whitelist something means that it gets a free pass to your computer. The spam filter is not active for a whitelisted address.

So what should you do? The first step to stopping spam as effectively as possible is to call the team of experts at MxToolBox to get information about safely using the whitelist feature. Most people don?t even need to use this feature and will still receive email that is sent from reputable locations. And if you are having difficulty getting email from a certain location the team at MxToolBox is again happy to help solve the problem so that you get the email you need and none of the spam you don?t.

That is one of the main reasons that using email solutions from MxToolBox is so successful for so many people. You can be secure in the knowledge that your email is being handled by people who have the expertise and skill to protect you from spam.

Photo Credit 

Spam volumes are increasing again…

Since the removal of the large spam source, McColo last month, everyone thought that spam would decrease immensly and immediately. While we did see a a drastic reduction of spam and viruses directly after it was shut down, we knew better that it would only be a short time before spam was back and we warned you that it would be worse than before (articles are here and here).

SpamCop’s statistics page shows a steady increase in spam reports since last month:

Looking at the past year of spam traffic, you can see an instant impact when McColo was taken down in November, but they are rising:

The Prognosis

If you’ve seen more spam getting through your filters this winter, it’s probably not because the developers and technicians that build and maintain your anti-spam / anti-virus decided to hang out at the pool until Fall. It’s likely because the overall volume of spam and viruses continues to push boundaries never before seen. Couple this with the myriad of new techniques and tactics and, well, the security community has to scramble to keep up.

As for MxToolBox, we’ve worked hard to make sure our FlexBox Email Security Service has provided the highest possible level of protection for our customers mailbox’s though this winters spam season.  

Photo Credit: SpamCop

Spam Volume has Risen Back 37%

from: Washington Post & Web Marketing & Industry News

Spam LevelsIn the fallout resulting from knocking McColo Corp. offline, this past week may prove to be a missed opportunity in the prevention of a dramatic reappearance of junk e-mail, as a botnet that once controlled 40 percent of the world?s spam apparently has found a new home.

The botnet Srizbi was knocked offline Nov. 11 along with Web-hosting firm McColo, which Internet security experts say hosted machines that controlled the flow of 75 percent of the world?s spam. One security firm, FireEye, thought it had found a way to prevent the botnet from coming back online by registering domain names it thought Srizbi was likely to target. But when that approach became too costly for the firm, they had to abandon their efforts.

?This cost us a lot of money. We engaged all the right people. In the end, it comes back to the fact that there wasn?t a process in place to do what we were trying to do,? said Alex Lanstein, senior researcher at FireEye. ?The day after we stopped registering the domains, the bad guys started picking them up.?

According to FireEye, Srizbi was the only botnet operating through McColo that had a backup plan in case their master control servers were ever unplugged: The malware contained a mathematical algorithm that generates a random but unique Web site domain name that the bots would be instructed to check for new instructions and software updates from its authors.

Shortly after McColo was taken offline, researchers at FireEye said they deciphered the instructions that told computers infected with Srizbi which domains to seek out. FireEye researchers thought this presented a unique opportunity: If they could figure out what those rescue domains would be going forward, anyone could register or otherwise set aside those domains to prevent the Srizbi authors from regaining control over their massive herd of infected machines.

In addition, by registering the domains, FireEye, a startup, could gain valuable intelligence, such as where the individual bots were located and how many there were. The problem, FireEye quickly found, was that each variant was designed to seek out a different set of four rescue domains every 72 hours. To make matters worse, the company identified more than 50 variants of Srizbi in circulation, impacting 500,000 systems. Those that were deficient or ill-programmed in some way controlled fewer victims ? anywhere from a few hundred to a few thousand computers. The more virulent strains of Srizbi, however, controlled upward of 50,000 systems, FireEye found.

That meant that to prevent the Srizbi authors from regaining control over their herd, FireEye would have to register more than 450 domains each week just to stay a step ahead of the bad guys. But each domain name registered costs money. FireEye spent $4,000 buying up future domains that might be sought by stranded Srizbi bots.

FireEye researchers thought that with that kind of firepower at their fingertips, they could have instructed each of the infected systems to uninstall the bot program. But the FireEye researchers surmised that such an action would not only be illegal but that commanding all of the bots to uninstall their infectious code would run the risk of doing serious damage to the systems. Srizbi, like most other sophisticated botnet programs these days, hooks into systems at a fundamental level, and removing it occasionally causes an infected system to stop working altogether.

?We could tell these bots to uninstall themselves from most of the machines, and the whole process would probably take a few seconds,? Lanstein said. ?But even if it were legal to do this, what would happen if removing the malicious software messes up some of these machines even worse??

Srizbi had already shown it was fully capable of resurrecting itself. Joe Stewart, director of malware research for Atlanta-based SecureWorks, has documented how the Srizbi botnet?s built-in rescue system can bring a lost herd of hacked computers back into the fold.

In October 2007, a massive blast of spam was sent through the Srizbi botnet promoting U.S. presidential candidate and libertarian Ron Paul. SecureWorks found that the control servers used by Srizbi for that spam run were all located at McColo, and reported the location of those servers to the now defunct hosting provider. Stewart said McColo responded by changing the Internet addresses of those control servers, which was enough to strand all of the bots seeking new instructions. When the backup mechanism in the bots caused them to search for new Web site names a few days later, the criminals who controlled the network were able to regain control over it by registering those Web site names.

A week ago, FireEye researcher Lanstein said they were looking for someone else to register the domain names that the Srizbi bots might try to contact to revive themselves. He said they approached other companies such as VeriSign Inc. and Microsoft Corp. After FireEye abandoned its efforts, some other members of the computer security community said they reached out for help from the United States Computer Emergency Readiness Team, or US-CERT, a partnership between the Department of Homeland Security and the private sector to combat cypersecurity threats.

Officials at US-CERT, however, have not responded to e-mails and phone calls requesting an interview about this story.

If others had gotten involved, there were a couple scenarios that could have played out. One was for an ISP or registrar to gain clearance to ?sinkhole? all of the Srizbi bots, essentially tying them up eternally by pretending to have the instructions the bots were seeking but never quite giving those bots the complete answer. The other was for an accredited registrar to register all of the domains sought by the Srizbi variants.

Ultimately, the FireEye researchers, under pressure from their managers to stop incurring expenses for registering the domains stopped their efforts Nov. 24. According to FireEye, sometime on Nov. 25, unknown individuals in Russia apparently registered the remaining domains, thereby regaining control over the world?s largest spam botnet.

Devnet allow our customers to have a 21 day test drive of Postini Email Security, which helps prevent your company from being affected by such issues.