Caller ID Spoofing Will Soon Be Illegal

Caller ID spoofing is rather easy to do for anyone who is willing to make the effort and apps to make it even easier. It’s akin to forging the “From:” header in an email. Both of these standards were developed in a time and environment where malicious use wasn’t a concern. Today obviously that’s hardly the case.

Now the House passed the “Truth in Caller ID Act of 2010“, which makes it illegal to spoof Caller ID information “with the intent to defraud and deceive”. Blocking is explicitly still allowed.

It covers any technology, not just POTS meaning that VoIP technologies are impacted. In theory even a poorly chosen Skype username (or whatever service you’re using) would technically be illegal. So don’t call yourself “HotChick69″ if you can’t prove that it is accurate in court. “With the intent to defraud and deceive” suggests that Google Voice can still spoof Caller ID for the purpose of showing the original number it’s forwarding for, but I’m sure their lawyers are examining things closely.

It reminds me of the “CAN-SPAM Act of 2003″, which has been <sarcasm>extremely effective</sarcasm>. I’m sure nobody will ever spoof Caller ID again.

That said, this is why one should be concerned about services that recognize the phone number your dialing from and let you bypass security measures. Always use a pin.

Poor Website Email Practices

I got a few emails in the past 24 hours that need to be addressed. I’ve seen both of these issues before, but never has it become so common that I see two almost back to back.

Character Encoding

VideoSurf sent me an invitation to check out their product. Unfortunately I’m a somewhat busy person and just haven’t gotten around to it. They noticed this and sent me a reminder, which I thought was kind of nice. Unfortunately like many companies these days, their mail software doesn’t set a character encoding, meaning their email looks like garbage. If I change the character encoding in my mail client to UTF-8 all looks great. What’s the lesson here?

Content-Type: text/plain; charset=utf-8

That’s all it takes to make sure I see every character in your email. It’s not hard.

Unnecessary Backscatter

Yahoo’s Flickr service sent me an email that my “upload has failed”. I know that’s not true since I don’t use Flickr to host my images. Viewing the email it’s obvious a spammer trying to abuse their service forged the From: header with my email address. This failed for the spammer, and the fail notification went to me. I host SPF records so that recipients mail servers can verify if an email originated from a system that’s authorized to send emails from my domain. Why doesn’t Yahoo check to see if this email they received forged headers? This would obviously be a good way to tell if someone is trying to spam their system, and would stop other innocent victims from getting backscatter.

Google Mail Fail

Found an interesting header when doing some tests with mail filtering:

Received: from qb-out-1314.google.com ([172.21.30.5])
        by mx.google.com with ESMTP id k29si2692710qba.7.2008.09.06.14.48.05;
        Sat, 06 Sep 2008 14:48:06 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning user@example.com does not designate 172.21.30.5 as permitted sender) client-ip=172.21.30.5;
Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning user@example.com does not designate 172.21.30.5 as permitted sender) smtp.mail=user@domain.tld
Received: by qb-out-1314.google.com with SMTP id d5so1543676qbd.6
        for <destination@example.com>; Sat, 06 Sep 2008 14:48:04 -0700 (PDT)

See the problem? Look closely. In particular look at this line:

Received-SPF: softfail (google.com: domain of transitioning user@example.com does not designate 172.21.30.5 as permitted sender) client-ip=172.21.30.5;

Look at that IP. RFC 1918 states the “20-bit block” (172.16/12) is for private internets. Google is softfailing emails because it’s sent through it’s own mail servers. Google’s own SPF record looks like this:

;; QUESTION SECTION:
;_spf.google.com.               IN      TXT

;; ANSWER SECTION:
_spf.google.com.        292     IN      TXT     "v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ?all"

I really don’t understand why Google is doing this. They should have their SPF checker whitelisting mail sent from their own servers. SPF is intended to verify the sender. When sent locally it’s pointless and can only be harmful. They can still do other spam checks.

From what I can tell, this seems to happening about 50% of the time, meaning this is something deployed on some but not all Google clusters.

Google Used For Spam

This happened a few weeks ago. I kept it quiet and reported it. Hasn’t happened again, and I haven’t heard anything, so I presume it’s fixed.

It appears spammers have learned to hijack Google Alerts for spamming purposes. By setting up an alert with a spam text, the email is sent through Google’s mail servers. Because it’s plain text, most Email clients will parse the link in an email to make it clickable. Effectively Google is running an open mail server. Here’s what I saw when I visited Google’s site to see if it really was in my account:

Google Spam

So apparently a spammer was smart enough to realize they could hijack this functionality to send spam through Google. I emailed Google a few week ago about this problem, and didn’t hear back. I haven’t seen another, so I presume they fixed this problem by now. From what I’ve read Google is pretty prompt with this stuff.

This just shows how careful you need to be with security of web forms. Even something innocent sounding like this can be hijacked to send nasty payloads. A spammer could have used this to send links to infected files, etc. All looking like legitimate Google emails (because they are from Google).

Here’s what the email looks like (slightly sanitized by me):

Continue reading

Spam Havens Follow Up

Ok, so 1 business day after I found a few spammed sites:

  • Apple has removed the page, no comment.
  • Riverside, CA acknowledged and said they are in the process of resolving. I’ll keep an eye out to see how long it takes.
  • AOL has removed the page, no comment.

So there you have it, 3 reports, 2 of which are resolved in 1 business day, 1 other report is still in the works.

I was surprised myself to see the response time.

Edit [3/21/2007]: Riverside, CA has removed the links, and disabled that forum to prevent future problems.

Spam Havens?

I’ve recently seen an increase in spam around here slipping through the filter. In an attempt to keep this site clean, I keep a close eye on comments. Typically checking several times a day, and removing url’s that are pure spam, or just inappropriate. But over the past several days things have been getting stranger.

The typically very clean mac.com (Apple Inc.’s .mac Web Hosting service) seems to be a spam haven. The last several days, I’ve been seeing several spams for a “Streammate” site hosted by Apple. This is one of those porn spam sites (which I get a hundred a day). What’s interesting is that it doesn’t seem to get shutdown promptly. Do they not monitor the service? It’s not like it’s even free. This is paid hosting. Most hosting services have some spam sites. It’s virtually impossible to avoid. But they should be removed when found.

Not only is Apple hosting these Spam pages, but so are others including the City of Riverside, California, who links to the Apple hosted spam.

The url’s relevant in this case are below as an image to prevent any Google Juice, as well as unsuspecting clicks. You’ll have to very intentionally type them into your url bar. The contents may not be appropriate for all audiences, who knows what badware lies within. Be warned.

Spam Havens?

I’ve contacted Apple and The City of Riverside. Lets see how quickly this is handled.

Edit: Just realized AOL’s hosting too.

Edit: See the update.

Google Badware Notification

Google has started providing notification before it lets you visit a search result known to contain badware. It’s done in partnership with StopBadware.org, who has a list of sponsors including: Google, Lenovo, and Sun Microsystems.

So far the feature seems pretty good. I’m sure there will be a few C&D‘s trying to get this feature taken down, now that some companies have found their revenue model shattered. To help prevent accidental blacklisting they have been trying to contact websites that are blacklisted so they can try and fix it (should they want to). Hopefully that will eliminate/minimize any errors.

I’d venture most people stumble upon these sites one of a few ways:

  1. Spam, or it’s instant messaging counterpart Spim. Linking to dubious websites in hopes of generating revenue at a computer owners expense.
  2. Search results. The prime situation where a web surfer visits sites out of their ordinary traffic patterns and may fall victim to such practices.

Google just took a big bite out of #2. Gmail/Yahoo/Microsoft/AOL have been working hard on #1. That should really help make the web a safer place… until the next menace takes the web by storm.

The Crushing Junk Folder

Since 9/19/2006 when I last emptied my Junk folder, my personal email address has 1.65GB (yes, gigabytes) of Spam/Viruses in it. That is in my opinion a sign of a serious problem.

Oh yea, a few weeks ago, we began auto-rejecting email from certain blacklisted servers, which drastically cut down on spam. And still it almost hit the 2GB mark.

Imagine how much wasted electricity spam filtering costs due to consuming CPU cycles and hard drive I/O. Not to mention the financial cost.

On a side note, for Thunderbird users:

I like to keep a mail archive, I do so using the trash. I just don’t empty. But I don’t want my “Junk” in there. So what I do is periodically delete it.

Edit: See comment #1 for a better way, or for my way, read on.

First close Thunderbird. In your profile, find your Mail folder, then your mail server, and you’ll see a file called Junk. Delete it and create a blank. Or in any Unix OS:

rm -r Junk
touch Junk

Then open up Thunderbird, right click on the Junk folder (will still show # of items, though none exist), select “Compact”. It will soon reset to 0. Done. Nothing mixed in your trash. Perhaps a nice extension would be a hard delete, one that didn’t go to the trash, but just wiped the contents away.

Bayesian Spam Filter Poisoning With RSS

Overview

Bayesian Filtering is a great method for fighting spam. Unlike rule based filtering which spammers can easily adapt to with simple modifications, Bayesian adapts with the spammers changes, making it much more difficult for them to defeat the filtering. As a result it’s used in server side mail filtering as well as client side filtering in various products including Mozilla Thunderbird, SpamAssassin, and SpamBayes. Despite this level of “intelligence” it’s not foolproof. Like anything that analyzes unsanitized input, its vulnerable to poisoning. To be fair, there is a debate on if it exists or not. I personally believe it does exist.

Continue reading

Coming Soon: Bluejacking

If you have bluetooth on your phone, there’s yet another reason to turn it off when you don’t use it. Besides saving battery life (which is always a good thing), and just general security you’ll be seeing more and more spam as time goes on if you keep it on. It’s already a problem in some places. Here’s an auto translated version of the linked article in English.

It’s to easy to just spam cell phones with phone book entries, video’s, text messages, pictures, etc. Even if you don’t accept them, your phone will still go off to let you know you have an incoming request. I would bet it won’t take long befor apps exist for PDA’s to automatically spam any bluetooth device in range. Then a spammer can just walk through the streets, malls or stores to send spam. Talk about discrete marketing.

What a mess, and I doubt it will be fixed anytime soon. We’re still getting email spam with no end in site.