Spam

For the past week a massive attack has infected PCs by tricking users into clicking links in fake messages from CNN.com. The attack has shown little sign of ending soon. The links in the spam mails go to sites which tell you to download the Adobe Flash player to watch a movie. What actually happens when you run this file is that a trojan is installed on your computer. The trojan adds your computer to a worldwide Botnet.

The email itself looks like a completely normal message from CNN.com and some of the links in the email also go to CNN. Right now there is a similar attack in progress, although this time MSNBC.com (NBC’s and MSN’s news site) is used to mask the attack. Spam has flowed in since around 11am on Tuesday. The sites, which the spam messages link to, are most likely hijacked ones and the site owners are probably not yet aware that their sites contain malicious code.

Firefox and Internet Explorer 7 now include filters to block sites like these. However, it normally takes several days before a hijacked site has been reported to these filters. Until then, no warning will be displayed when surfing to these sites.

As we reported yesterday we now see a lot of spam messages with subject lines related to current events. Many of these spam messages contain links to sites that installs a trojan which makes your computer to a spam sending monster. The blog I got Spam? reports that the sites (for example a bogus Porntube which is the adult version of Youtube) is hosted on a number of hacked servers. When someone clicks on the link a pop-up is displayed, telling the user to install an Active-X control which installs the trojan that welcomes you to the Storm Worm botnet. This weekend this botnet was responsible for sending over 8 million spam messages in 24 hours.

F-secure also reports about these spam messages on their blog.

The fact that spammers are trying to take advantage of our curiosity to get us to read their incredible offerings is perhaps nothing new. But recently, we have noted that spammers use gossip to get the recepient interested. The contents of the spam is approximately the same as usual. Some text and a link to a site that sells Viagra, sex toys, watches or other items. In the subject line, however, there is something that attract our curiosity. For example, that Britney is involved in a new scandal, or that oil prices are on the way down. Britney and the American presidential candidates are by the way quite popular as the subject of this type of spam. They all have in common that they all usually relates to a current event.

Some examples:
Oil prices starting to DROP
Obama endorses herbal supplements
Tim Russert’s six scandal exposed at funeral
Nokia unveils revolutionary new phone design
Britney found hanged in locker room
Britney lingerie shoot
Britney in drug scandal in saint tropez
Portugal regrets not bringing herbal supplements

Spammers hope that we are more interested in the Britneys latest adventure than how their own fantastic products can help us.

CBC News reports that the Quebec provincial police have dismantled a computer hacking network that targeted unprotected personal computers around the world. These so called botnets are commonly used to perform hacking attacks against other computers and servers. Botnets are also widely used as senders of millions and millions of spam messages. So will this arrest decrease the spam traffic? Read the rest of this entry »

Spammers often use clever tricks to disguise the actual link of the site they are trying to fool the recipient into visiting. The latest trick is to construct a Goggle search link which utilizes Google’s “I’m feeling luck” feature. Read the rest of this entry »

This is the first in a weekly series of articles we will post here on the SpamDrain blog. Every week we will analyse a particular spam message in various ways. This week we will take a look at a particularly stupid pump and dump spam message. Read the rest of this entry »

SpamDrain for domains has been released after a successful beta test period. Spam and viruses are blocked before they reach the domain’s original e-mail servers.

SpamDrain for domains provides domain level filtering for companies and individuals with their own domain and uses the same smart filtering as the current POP3 version. All e-mail is filtered before it reaches the domain’s original e-mail servers. This means that web mail and other services work as usual and no changes to the users’ e-mail program settings are required.

As of today the beta testing is finished and SpamDrain for domains is released for production use. To start using SpamDrain for domains, please click the link below and follow the instructions.

Sign up for a 30-day trial of SpamDrain for domains

Learn more about SpamDrain for domains

SpamDrain introduces support for the IMAP protocol and are now looking for beta testers. If you are using IMAP when collecting your e-mail we gladly welcome you as a beta tester. You will be using the same smart filtering as for the current POP3 version and spam and viruses will be stopped as usual before they reach your inbox.

Sign up as a normal member and add your IMAP account in order to filter it through SpamDrain. We are interested in as many combinations of e-mail servers and e-mail programs as possible. The beta version is free at least until April 30th 2007.

Sign up as usual to become an IMAP beta tester