Now the House passed the “Truth in Caller ID Act of 2010“, which makes it illegal to spoof Caller ID information “with the intent to defraud and deceive”. Blocking is explicitly still allowed.

It covers any technology, not just POTS meaning that VoIP technologies are impacted. In theory even a poorly chosen Skype username (or whatever service you’re using) would technically be illegal. So don’t call yourself “HotChick69″ if you can’t prove that it is accurate in court. “With the intent to defraud and deceive” suggests that Google Voice can still spoof Caller ID for the purpose of showing the original number it’s forwarding for, but I’m sure their lawyers are examining things closely.

It reminds me of the “CAN-SPAM Act of 2003″, which has been <sarcasm>extremely effective</sarcasm>. I’m sure nobody will ever spoof Caller ID again.

That said, this is why one should be concerned about services that recognize the phone number your dialing from and let you bypass security measures. Always use a pin.

Character Encoding

VideoSurf sent me an invitation to check out their product. Unfortunately I’m a somewhat busy person and just haven’t gotten around to it. They noticed this and sent me a reminder, which I thought was kind of nice. Unfortunately like many companies these days, their mail software doesn’t set a character encoding, meaning their email looks like garbage. If I change the character encoding in my mail client to UTF-8 all looks great. What’s the lesson here?

Content-Type: text/plain; charset=utf-8

That’s all it takes to make sure I see every character in your email. It’s not hard.

Unnecessary Backscatter

Yahoo’s Flickr service sent me an email that my “upload has failed”. I know that’s not true since I don’t use Flickr to host my images. Viewing the email it’s obvious a spammer trying to abuse their service forged the From: header with my email address. This failed for the spammer, and the fail notification went to me. I host SPF records so that recipients mail servers can verify if an email originated from a system that’s authorized to send emails from my domain. Why doesn’t Yahoo check to see if this email they received forged headers? This would obviously be a good way to tell if someone is trying to spam their system, and would stop other innocent victims from getting backscatter.

Received: from qb-out-1314.google.com ([172.21.30.5])
        by mx.google.com with ESMTP id k29si2692710qba.7.2008.09.06.14.48.05;
        Sat, 06 Sep 2008 14:48:06 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning user@example.com does not designate 172.21.30.5 as permitted sender) client-ip=172.21.30.5;
Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning user@example.com does not designate 172.21.30.5 as permitted sender) smtp.mail=user@domain.tld
Received: by qb-out-1314.google.com with SMTP id d5so1543676qbd.6
        for <destination@example.com>; Sat, 06 Sep 2008 14:48:04 -0700 (PDT)

See the problem? Look closely. In particular look at this line:

Received-SPF: softfail (google.com: domain of transitioning user@example.com does not designate 172.21.30.5 as permitted sender) client-ip=172.21.30.5;

Look at that IP. RFC 1918 states the “20-bit block” (172.16/12) is for private internets. Google is softfailing emails because it’s sent through it’s own mail servers. Google’s own SPF record looks like this:

;; QUESTION SECTION:
;_spf.google.com.               IN      TXT

;; ANSWER SECTION:
_spf.google.com.        292     IN      TXT     "v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ?all"

I really don’t understand why Google is doing this. They should have their SPF checker whitelisting mail sent from their own servers. SPF is intended to verify the sender. When sent locally it’s pointless and can only be harmful. They can still do other spam checks.

From what I can tell, this seems to happening about 50% of the time, meaning this is something deployed on some but not all Google clusters.

It appears spammers have learned to hijack Google Alerts for spamming purposes. By setting up an alert with a spam text, the email is sent through Google’s mail servers. Because it’s plain text, most Email clients will parse the link in an email to make it clickable. Effectively Google is running an open mail server. Here’s what I saw when I visited Google’s site to see if it really was in my account:

So apparently a spammer was smart enough to realize they could hijack this functionality to send spam through Google. I emailed Google a few week ago about this problem, and didn’t hear back. I haven’t seen another, so I presume they fixed this problem by now. From what I’ve read Google is pretty prompt with this stuff.

This just shows how careful you need to be with security of web forms. Even something innocent sounding like this can be hijacked to send nasty payloads. A spammer could have used this to send links to infected files, etc. All looking like legitimate Google emails (because they are from Google).

Here’s what the email looks like (slightly sanitized by me):

From - Fri Jun 01 19:37:17 2007
Return-path: < ---------------------@alerts.bounces.google.com>
Envelope-to: r-----@---------.com
Delivery-date: Fri, 01 Jun 2007 11:39:09 -0500
Received: from mail by g---n.m-------t.com with local-bsmtp (Exim 4.42)
	id 1HuA9c-0001PM-6U
	for r-----@---------.com; Fri, 01 Jun 2007 11:39:09 -0500
X-Spam-Step: 10
X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on
	s----------n.m-------t.com
X-Spam-Level: ***
X-Spam-Status: No, score=3.5 required=5.0 tests=AWL,BAYES_00,DRUGS_ERECTILE,
	URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL autolearn=no
	version=3.1.7
Received: from [209.85.132.130] (helo=an-out-f130.google.com)
	by g---n.m-------t.com with esmtp (Exim 4.42)
	id 1HuA9c-0001PF-3l
	for r-----@---------.com; Fri, 01 Jun 2007 11:39:08 -0500
Received: by an-out-f130.google.com with SMTP id d10so118678and
        for <r -----@---------.com> Fri, 01 Jun 2007 09:39:07 -0700 (PDT)
DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed;
        d=google.com; s=beta;
        h=domainkey-signature:received:message-id:mime-version:content-type:x-sender:subject:to:from:date;
        b=FGPzqa4A/uwrY9R4eE5zc7aWGSLWLoJNdzneqDb3y6JoK6bORFreaSIcMM18ju8X11Q4Yz46WS0CyILKEQuNjQ==
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=google.com; s=beta;
        h=received:message-id:mime-version:content-type:x-sender:subject:to:from:date;
        b=scui0PgQGL5lSJQnFaSsGAJZV62EWfW8kjWfyt1LJc4C4DyEK1Yd2ZM80BmWnUqk5MEC5yGk0WmL1DjUvGIT8Q==
Received: by 10.70.74.1 with SMTP id w1mr2256151wxa.1180715947494; Fri, 01 Jun 2007 09:39:07 -0700 (PDT)
Message-ID: < ----------------------@google.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
X-Sender: HwAAAC491XMCve-7EImb_MgE7FP_5F7kb0mu3Tw3l5pegz4N
Subject: Click to confirm your Google Alert
To:r-----@---------.com
From: Google Alerts <googlealerts -noreply@google.com>
Date: Fri, 01 Jun 2007 09:39:07 -0700
X-SA-Profile: 5693

Google received a request to start sending Alerts for the search
[ *] Viagra as low as $2.81! See http://SPAMSITE/ for more info. EXPRESS DELIVERY! ULTIMATE QUALITY! [* 51078155988.654 ] to r-----@---------.com.

Verify this Google Alert request:
http://www.google.com/alerts/verify?Cancel this Google Alert request:

http://www.google.com/alerts/remove?

Thanks,
The Google Alerts Team

http://www.google.com/alerts

• Apple has removed the page, no comment.
• Riverside, CA acknowledged and said they are in the process of resolving. I’ll keep an eye out to see how long it takes.
• AOL has removed the page, no comment.

So there you have it, 3 reports, 2 of which are resolved in 1 business day, 1 other report is still in the works.

I was surprised myself to see the response time.

Edit [3/21/2007]: Riverside, CA has removed the links, and disabled that forum to prevent future problems.

The typically very clean mac.com (Apple Inc.’s .mac Web Hosting service) seems to be a spam haven. The last several days, I’ve been seeing several spams for a “Streammate” site hosted by Apple. This is one of those porn spam sites (which I get a hundred a day). What’s interesting is that it doesn’t seem to get shutdown promptly. Do they not monitor the service? It’s not like it’s even free. This is paid hosting. Most hosting services have some spam sites. It’s virtually impossible to avoid. But they should be removed when found.

Not only is Apple hosting these Spam pages, but so are others including the City of Riverside, California, who links to the Apple hosted spam.

The url’s relevant in this case are below as an image to prevent any Google Juice, as well as unsuspecting clicks. You’ll have to very intentionally type them into your url bar. The contents may not be appropriate for all audiences, who knows what badware lies within. Be warned.

I’ve contacted Apple and The City of Riverside. Lets see how quickly this is handled.

Edit: Just realized AOL’s hosting too.

Edit: See the update.

So far the feature seems pretty good. I’m sure there will be a few C&D‘s trying to get this feature taken down, now that some companies have found their revenue model shattered. To help prevent accidental blacklisting they have been trying to contact websites that are blacklisted so they can try and fix it (should they want to). Hopefully that will eliminate/minimize any errors.

I’d venture most people stumble upon these sites one of a few ways:

1. Spam, or it’s instant messaging counterpart Spim. Linking to dubious websites in hopes of generating revenue at a computer owners expense.
2. Search results. The prime situation where a web surfer visits sites out of their ordinary traffic patterns and may fall victim to such practices.

Google just took a big bite out of #2. Gmail/Yahoo/Microsoft/AOL have been working hard on #1. That should really help make the web a safer place… until the next menace takes the web by storm.

Oh yea, a few weeks ago, we began auto-rejecting email from certain blacklisted servers, which drastically cut down on spam. And still it almost hit the 2GB mark.

Imagine how much wasted electricity spam filtering costs due to consuming CPU cycles and hard drive I/O. Not to mention the financial cost.

On a side note, for Thunderbird users:

I like to keep a mail archive, I do so using the trash. I just don’t empty. But I don’t want my “Junk” in there. So what I do is periodically delete it.

Edit: See comment #1 for a better way, or for my way, read on.

First close Thunderbird. In your profile, find your Mail folder, then your mail server, and you’ll see a file called Junk. Delete it and create a blank. Or in any Unix OS:

rm -r Junk
touch Junk

Then open up Thunderbird, right click on the Junk folder (will still show # of items, though none exist), select “Compact”. It will soon reset to 0. Done. Nothing mixed in your trash. Perhaps a nice extension would be a hard delete, one that didn’t go to the trash, but just wiped the contents away.

Bayesian Filtering is a great method for fighting spam. Unlike rule based filtering which spammers can easily adapt to with simple modifications, Bayesian adapts with the spammers changes, making it much more difficult for them to defeat the filtering. As a result it’s used in server side mail filtering as well as client side filtering in various products including Mozilla Thunderbird, SpamAssassin, and SpamBayes. Despite this level of “intelligence” it’s not foolproof. Like anything that analyzes unsanitized input, its vulnerable to poisoning. To be fair, there is a debate on if it exists or not. I personally believe it does exist.

So What Is This “Poisoning” You Speak Of?

Poisoning refers to spammers putting non-spam words (either gibberish, random words, or old texts) into spam. This technique itself is nothing new. This is a technique used for years to help get around spam filters. This is why some of your spam may contain things like:

Everything you can imagine is real.
What this country needs is a good five cent cigar.
What the eye does not admire the heart does not desire.
Action is coarsened thought thought becomes concrete, obscure, and unconscious.
A man profits more by the sight of an idiot than by the orations of the learned.

The above comes from spam trying to pitch a Canadian pharmacy! Doesn’t sound very medical does it? That’s the point. They then throw the url and a quick “buy pills” somewhere in there.

What’s Now Going On

My theory is that the new technique spammers seem to be taking on is to use RSS feeds as an input source to make spam look more legitimate and keep the content timely (to avoid filtering). RSS is easy to retrieve, parse, and is extremely plentiful. As a result it’s possible to have an endless sea of salt to try and get around the filters.

Examples

Here are a few examples I collected in about 10 minutes of skimming my spam folder only looking at titles for ones that look like they may have come from feeds. Google searches seem to indicate most come from CNN RSS feeds. To perform searches to find the origin you need to be a little creative and make use of Google’s cache, since an articles title could change through the life of the article.

I then decided to use Google Reader to display over 1,000 titles from the past week in my “General News” tag, this includes a few but not all of their feeds (mainly U.S, World News). As a side note this category is somewhat of an antique, since I don’t read general news via RSS since I work for a news website. I get all the news I can tolerate from 9-5 . I’m also a feed junkie.

I clearly couldn’t find all within the range of a week and 3 feeds, but I did find enough to make me wonder. The screenshots are below:

U.S., Iraqi forces battle insurgents

Story Date: Tue, 9 Jan 2007
Email Sent: Wed, 10 Jan 2007

Rice ‘loves’ Fox News; CBS anchor ‘decent guy’

Story Date: Thu, 11 Jan 2007
Email Sent: Fri, 12 Jan 2007

Rebel ‘We aided bin Laden escape’

Story Date: Thu, 11 Jan 2007
Email Sent: Sun, 14 Jan 2007

Madonna defends Rosie

Story Date: Thu, 11 Jan 2007
Email Sent: Fri, 12 Jan 2007

Swank ‘I am in a relationship

Story Date: Tue, 09 Jan 2007
Email Sent: Wed, 10 Jan 2007

Gwynn, Ripken in Hall, McGwire misses

Story Date: Tue, 09 Jan 2007
Email Sent: Thu, 11 Jan 2007

Court papers Dancer cleared one Duke suspect

Story Date: Tue, 11 Jan 2007
Email Sent: Fri, 12 Jan 2007

As you can see, many were sent the day after the story appeared in the feed.

I should note this is not the feed owners fault in any way, nor is there any reasonable effort they can make to stop or prevent such misuse. No need to go after blog owners or news sites. Most of them get spammed more than you.

Here’s a list of the emails I spotted for the past several days. I’m not sure where a few of them came from (if anyone wants to dig deeper, feel free). As of a week ago, several others could be found around the web by searching google and viewing the google cached version of some pages. Headlines can change as a story evolves. This further complicates this research:

• Here’s a list of news related subjects from spam emails:
• Court papers Dancer cleared one Duke suspect
• Filing Duke suspect just watched
• Fortune The 100 best companies to work for
• Gwynn, Ripken in Hall, McGwire misses MORE
• Iranian officials detained in Iraq, U.S. official says
• Kennedy threatens Bush Iraq plan
• Madonna defends Rosie
• Man in hot pants struts in boots, cheers city MORE
• Mom charged with stabbing kids
• N.J. suspected as source of stench MORE
• O’Reilly, Colbert on each’s shows.
• Rebel ‘We aided bin Laden escape’
• Rice ‘loves’ Fox News; CBS anchor ‘decent guy’
• Sen. Johnson’s condition upgraded
• Stem-cell funding passes House, faces veto threat
• Swank ‘I am in a relationship’
• Teacher accused of taking improper photos found dead
• U.S. gunships target al Qaeda suspects in Somalia
• U.S., Iraqi forces battle insurgents
• Witnesses Al Qaeda targeted MORE

Outlook

The potential for this to manifest itself more in the future seems somewhat high. One could rather easily spider some blogging networks for a bunch of random blog RSS feeds to leach content rather than just the subject. They would resemble legitimate email even more than a news site could.

Will this seriously harm spam filters? I doubt it. It’s not drastically different from previous methods. What’s so interesting is that they seem to be tapping a new fresh data source.

It’s hard to say how widespread this is exactly. I’ve got at least a dozen in the past few days. All from different sources, and even to different addresses. Because of how botnets can be used to send spam, it’s somewhat difficult to tell if they come from the same origin.

This may even help in the war on spam. Because they are distributing copyrighted information, perhaps (I’m not a lawyer) this might qualify as copyright infringement. AOL, whose parent company like CNN is Time Warner may be interested. Microsoft has MSNBC to look out for. That’s two giant email providers who have sued spammers before, with news networks that have an online presence and may be ripped for the purpose of spamming.

What’s interesting about the above emails is that most look strikingly similar in terms of actual contents. The titles also have the theme of being from RSS feeds. The headers indicate different origins, making it likely they were sent using a botnet, but have the same master.

Conclusion

The need for real-time blacklisting may become more of a necessity to be truly effective in the long run. Similar to how Phishing is being handled. The danger might not be spam getting through, but legitimate email looking more like the new spam and being caught.

I’d love to see someone like Google or Yahoo do an analysis of spam in comparison to their search indexes. I can manually do only so many, and visually scan for relevant information. I’m sure with Gmail or Yahoo Mail’s spam, and Google or Yahoo’s index, there could be some real insight. The people at Google have already done some decent work on Phishing and Malware. I think spam wouldn’t be far off. Using what I could access from Google was very valuable in seeing how spammers are operating. I bet they can see more than I can.

Further Research

I do have a copy of the emails referenced in this post. I am not making them publicly accessible to prevent some immature wanna-be hacker from attacking someone’s PC because their IP address was previously issued to an infected computer. By the time I strip all the headers out, they aren’t really any more useful than what’s already posted here.

It’s to easy to just spam cell phones with phone book entries, video’s, text messages, pictures, etc. Even if you don’t accept them, your phone will still go off to let you know you have an incoming request. I would bet it won’t take long befor apps exist for PDA’s to automatically spam any bluetooth device in range. Then a spammer can just walk through the streets, malls or stores to send spam. Talk about discrete marketing.

What a mess, and I doubt it will be fixed anytime soon. We’re still getting email spam with no end in site.