Search  
You are here:  Articles    
Article Categories Minimize

Articles Minimize

Current Articles | Categories | Search

IN FOCUS: Spammers Adopt New Tactics
Posted by SteveT on Saturday, November 17, 2007 :: Last Updated on Sunday, January 20, 2008:: Views 454

   

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Got spam? Of course you do. For the life of me, I cannot understand the minds of spammers. They're simply not mentally healthy individuals, as evidenced by their escalating intrusions into our inboxes and Web browsers.

So how bad is the problem now? According to statistics published by Distributed Checksum Clearinghouse (at the URL below), the volume of spam has nearly doubled since November 2006 and has at least tripled since November 2005. I'm sure other entities that track such statistics have data that indicates the same trend.

http://list.windowsitpro.com/t?ctl=6DE77:E0792EBBCDE7A61AA63286175C8EF58F

Recently, spammers have taken on new tactics to bypass various spam filters used by Web sites and for email processing. A recent item on Symantec's Security Response blog says that spammers are using Google to redirect people to spammer Web sites. When I first heard the report, it seemed surprising that Google could be taken advantage of by spammers. But there's a simple explanation of how it can happen.

Due to certain parameters that can be passed as part of a URL, spammers can mask the URL of a spam or malware Web site in an email message (rendering URL blacklists useless!). The technique involves first crafting a Google query that returns only the single page that spammers hope someone will visit. The spammer then adds a variable to the end of the Google query URL that causes Google to instantly redirect the browser to the spammmer's Web page.

Fortunately, you can create a custom filter to catch the trick, assuming of course that your spam filter system allows you to write custom rules. Simply look for "google.com" and "&btnl=" in any URL string. You can read more about the trick and the block at the URL below.

http://list.windowsitpro.com/t?ctl=6DE6A:E0792EBBCDE7A61AA63286175C8EF58F

A recent item on McAfee's Avert Labs blog (at the URL below) tells how Web spammers are using a distributed method of solving CAPTCHAs--those images with numbers and letters that you have to read and then type into a form field before submitting the form.

http://list.windowsitpro.com/t?ctl=6DE6C:E0792EBBCDE7A61AA63286175C8EF58F

In a nutshell, spammers are now capturing legitimate Web sites' CAPTCHA images in real time and inserting them into their own Web pages that
offer some type of enticing free content. Visitors that want to gain access to that free content must enter the CAPTCHA solution. What they don't know is that the CAPTCHA came from another site. When the visitor enters the solution, the spammer sends the solution to the originating site thereby getting past the CAPTCHA spam filter.

Fortunately there's a way to defeat this type of spamming too: Don't use images for CAPTCHAs. Instead, use a lengthy set of text-based questions and answers, and randomize the HTML that wraps the questions so that they can't be easily parsed by spammers' code.

On a semi-related note, if you're using DNS blacklists, you might be interested in an entry I read at Al Iverson's DNSBL Resource blog. Iverson set up a spam trap to determine which DNS blacklists are most accurate. Based on his tests so far, Spamcop and Spamhaus operate the best blacklists. Neither site mistakenly tagged any legitimate email as spam. On the other hand, Iverson found that SORBS tagged about 10 percent of his legitimate email as spam. I'll add to Iverson's findings that, based on my experience, SORBS blacklists entire class C networks due to the violations of a few servers within those networks. You can read Iverson's article at the URL below, wherein you'll find a link to his statistics, which will give you a good idea of which blacklists to consider using.

http://list.windowsitpro.com/t?ctl=6DE6E:E0792EBBCDE7A61AA63286175C8EF58F

Previous Page | Next Page

Donations Minimize

Find our site useful? Make a donation to show your support

Donate

logo_ccMC.giflogo_ccVisa.giflogo_ccDiscover.giflogo_ccAmex.gif

ArGoStuff Supporters

 

News from ArGoSoft Minimize
1 2 3 4 5 6

Mail Server Pro v1.8.9.6
  • Improved Export to .NET function - sometimes email messages were not getting exported, because the database of email messages was not up to date. Now each folder gets rebuilt before the export function;
12/2/2008 11:19:02 PM
Email Address Validator

We have discontinued our email address validation service, and launched new web site:

http://www.emailaddressvalidator.com

It provides the web service interface to validate lists of email addresses. We hope that our service will help to reduce unwanted traffic on Internet, ensuring that mail is sent only to valid and legitimate addresses.

Sign up now, and get 150 free validations!

11/25/2008 10:13:02 AM
Mail Server v1.0.5.8

Mail Server

  • Mailbags now have an option to accept mail only when specified server is down - will help to fight with spam which attempt to deliver mail bypassing the main server;
  • When delivering mail, if main exchanger returns 4xx reply (temporary problem), the server will not try other exchangers, will retry later the main exchanger;
  • Server options moved from registry to a XML file. 64 bit versions of Vista and 2008 server appear to be having access rights problems to the Windows registry, and the change will make our server more compatible with 64 bit versions;
  • Added an option to specify the number of lines on the log screen, when using the user interface. Was causing memory problems if left running for long time;
  • Fixed couple of problems, which were showing when SQL server was set up to use case sensitive SQL statements;
  • Made changes in the remoting interface to allow logging in using aliases;

Web Interface

  • Made changes to allow logging in using aliases;
  • When viewing folders, web interface now displays the name of logged in user;
11/12/2008 2:31:31 PM
FTP Server v1.0.1.6
  • Server settings have been moved from registry to the XML file, which will be located in the common application data directory. 64 bit versions of Windows were having trouble writing into the registry; similar change is coming to the mail server;
  • If used, XML files (Users.XML, Groups.XML and ServerOptions.XML) will also be moved to the common application data directory;
11/8/2008 11:41:29 PM
FTP Server v1.0.1.5
  • When performing active data transfers on systems with multiple IP addresses, data connections were using first available IP address, rather than one on which the control connection was active. It was causing confusion with firewalls and routers;
11/2/2008 9:39:24 PM

1 2 3 4 5 6

Protect Your Computer today withGet AVG Today


Home:ArGoStuff:Forums:Articles:Cyber Security Tips:FAQ:Downloads:Links
Copyright 2006-2008 by ArGoStuff Terms Of Use Privacy Statement