November 14, 2007 02:14 PM

Spammers Adopt New Tactics

Rating: (0)
Mark Joseph Edwards
Windows IT Pro
InstantDoc ID #97580

Got spam? Of course you do. For the life of me, I cannot understand the minds of spammers. They're simply not mentally healthy individuals, as evidenced by their escalating intrusions into our inboxes and Web browsers.

So how bad is the problem now? According to statistics published by Distributed Checksum Clearinghouse (at the URL below), the volume of spam has nearly doubled since November 2006 and has at least tripled since November 2005. I'm sure other entities that track such statistics have data that indicates the same trend.

http://www.dcc-servers.net/dcc/graphs/?resol=2y&BIG=1#graph1

Recently, spammers have taken on new tactics to bypass various spam filters used by Web sites and for email processing. A recent item on Symantec's Security Response blog says that spammers are using Google to redirect people to spammer Web sites. When I first heard the report, it seemed surprising that Google could be taken advantage of by spammers. But there's a simple explanation of how it can happen.

Due to certain parameters that can be passed as part of a URL, spammers can mask the URL of a spam or malware Web site in an email message (rendering URL blacklists useless!). The technique involves first crafting a Google query that returns only the single page that spammers hope someone will visit. The spammer then adds a variable to the end of the Google query URL that causes Google to instantly redirect the browser to the spammmer's Web page.

Fortunately, you can create a custom filter to catch the trick, assuming of course that your spam filter system allows you to write custom rules. Simply look for "google.com" and "&btnl=" in any URL string. You can read more about the trick and the block at the URL below.

http://www.symantec.com/enterprise/security_response/weblog/2007/11/googles_advanced_search_operat.html

A recent item on McAfee's Avert Labs blog (at the URL below) tells how Web spammers are using a distributed method of solving CAPTCHAs--those images with numbers and letters that you have to read and then type into a form field before submitting the form.

http://www.avertlabs.com/research/blog/index.php/2007/11/01/the-captcha-challenge/

In a nutshell, spammers are now capturing legitimate Web sites' CAPTCHA images in real time and inserting them into their own Web pages that offer some type of enticing free content. Visitors that want to gain access to that free content must enter the CAPTCHA solution. What they don't know is that the CAPTCHA came from another site. When the visitor enters the solution, the spammer sends the solution to the originating site thereby getting past the CAPTCHA spam filter.

Fortunately there's a way to defeat this type of spamming too: Don't use images for CAPTCHAs. Instead, use a lengthy set of text-based questions and answers, and randomize the HTML that wraps the questions so that they can't be easily parsed by spammers' code.

On a semi-related note, if you're using DNS blacklists, you might be interested in an entry I read at Al Iverson's DNSBL Resource blog. Iverson set up a spam trap to determine which DNS blacklists are most accurate. Based on his tests so far, Spamcop and Spamhaus operate the best blacklists. Neither site mistakenly tagged any legitimate email as spam. On the other hand, Iverson found that SORBS tagged about 10 percent of his legitimate email as spam. I'll add to Iverson's findings that, based on my experience, SORBS blacklists entire class C networks due to the violations of a few servers within those networks. You can read Iverson's article at the URL below, wherein you'll find a link to his statistics, which will give you a good idea of which blacklists to consider using.

http://www.dnsbl.com/2007/03/how-well-do-various-blacklists-work.html

ARTICLE TOOLS

Want to use this article? Click here for options!

Add a Comment

There are no comments to display. Be the first one!
You must log on before posting a comment.

Are you a new visitor? Register Here

advertisement

advertisement

GOOGLE LINKS
SPONSORED LINKS
FEATURED LINKS

eBooks

Playbook for a Virtualized Datacenter | During challenging times, optimizing the IT infrastructure becomes imperative. Many organizations are looking to extend their virtualization efforts to encompass the entire datacenter. Get a step-through of your technology options and more.

White Papers

As the advances in USB devices have made them invaluable to most business users’, they have also exposed organizations to enormous risks. Learn how to easily enforce device/port control and data encryption policies without requiring new infrastructure and additional admin overhead.

WEB SEMINARS

Is Flexible Lockdown Possible? Join Darren Mar-Elia for this free web webinar exploring the various methods you should consider to protect and control your desktops while also understanding the impact on the end user community.
View Seminar On-Demand.

eLearning Series

Windows IT Pro brings the experts direct to you to share their real-world perspective, experience, and expertise. During each event, three sessions stream in real time, allowing you to learn, to ask questions, and to get solutions.
Upcoming event: SQL Server Consolidation

Subscribe to Windows IT Pro!

DevConnections ITTV Left-Brain SharePointPro Connections SQL Server Magazine SuperSite for Windows Windows IT Pro

© Penton Media, Inc.

Home About Us Advertise Customer Service Privacy Statement Subscribe/Renew Terms Of Use

Windows is a trademark of the Microsoft group of companies. Windows IT Pro is used by Penton Media Inc. under license from owner.