Saturday, June 30, 2007


reporting phishes

If you really want to do something about phishes, don't bother reporting them to your ISP. Millions of people already hit that "this is spam" button. And it's only useful if you do it within a few minutes of your ISP's receiving it.

Instead, open the message source and find the URL of the fake bank site. We call that the payload URL. The whole point of the spam is to get you to go there with a web browser. The fake bank site was created by a dangerous gang of criminals. Don't forget that. Do not visit the URL with a web browser. It probably contains malware and will attack your PC.

Sometimes these are hosted on spammer-friendly ISPs in Eastern Europe or China. Do not report those. But most fake bank or credit union or Paypal sites are hosted on servers that the criminal broke into.

With a little common sense, you can safely figure out where the fake bank site is hosted. Look at the payload URL in the spam message source. You can spot it among the decoys and images because it's the one with "click here" or the domain name of the real bank.

If the payload URL is something like, you can be pretty sure it's a break-in, and the Podunk Realtor and his ISP or web design firm have no idea they are supporting large scale felony fraud. If it's more like, it's probably a shared hosting account at a giant web hosting company, purchased with a stolen credit card. If it's (a subtle misspelling), the hosting company and the Registrar are probably in on it, and there's no point in reporting those. Some web hosting places are so careless that they might as well be in on it.

If it's in eastern Europe or China, leave it to the professionals. Stop here. You do not want to provoke the Russian mafia.

Copy the domain name of the fake bank site out of the message source and trace it (with "tcptraceroute" on unix or "tracert" on MSWindows, or use to its hosting.

The output of the traceroute starts at your PC (or at Samspade) and shows the route to the fake site. The last item is the compromised server. It may have a domain name that belongs to the ISP, or to one of his customers. With a little practice you'll know which is which at a glance. Look up the IP address in Whois. ISPs generally own their own IP addresses. Even if they don't, it gives you a pretty good clue as to what company owns or controls that end of the route. In the case I called Podunk Realtor, it is probably safe to look at the front page of the Realtor's site with a browser, and find some contact info that way. Look up the domain name on the server, in Whois. That will give you more contact info, of the Podunk Realtor or his ISP or both.

Report the break-in to the owner of the server and his ISP. Out of the hundreds of thousands who received that phish run, you may be the only person to report it properly. Do not include a copy of the spam. That will probably prevent the victim from receiving it. Just tell them the IP address of the compromised server, and the URL you found in the spam.

You can look up contact addresses of a well-run ISP at Or just send to where, of
course, is the ISP's domain name. (If that bounces, report the ignorant ISP to

Do that with one phish a week and you're doing more than all the times you ever hit "this is spam."

Friday, June 29, 2007


Sender Address Verification we told you so

When we started seeing SMTP callbacks, aka "Sender Address Verification," several members of, including myself, said it was a Bad Idea.

It's trivially easy to get around SAV. The spammer just puts known deliverable addresses in his envelope-sender. Of course he needs to use thousands or millions of those in each spam run, to evade statistical filters. I'm surprised it took until now for them to figure that out. And because they have to be deliverable, it takes a higher quality list for the fake senders than for the spam recipients.

Meanwhile, there are still a lot of "anti-spam appliances" and other broken SMTP servers that accept and return messages to bad addresses, rather than refusing them. But you can't return spam once you've accepted it into your queue. You don't have an address for the spammer, and he isn't interested anyway. So the returned spam messages become a new form of spam known as "backscatter." Until recently, the Barracuda appliance in its default configuration sent backscatter. They've fixed that. Qmail-1.03 sends backscatter. There are patches for that. One popular Qmail backscatter patch is called "chkuser."

Two unforseen consequences combine for another harm. 1. SAV is becoming popular. 2. Backscatter. The backscatter used to go to the same poor quality address lists the spammers send to. So most of it never got delivered; it stuck in the Barracuda appliance or Qmail queue. But now it's getting delivered, adding to the spam load and degrading the statistical filtering results.

Not only are spammers destroying the public email system, but misguided Final Ultimate Solutions (FUSSPs) are damaging it too.

Saturday, June 02, 2007


Soloway busted, so what.

Big news, Robert Soloway busted for wire fraud, credit card fraud, CAN-SPAM violations, and using a bot-net.

Big deal. The prosecutor isn't even asking for prison time. That's the strongest signal yet that the US Government doesn't actually regard spamming and creating and running bot-nets as criminal behavior. It shows how successful US spammers have been at positioning themselves as persecuted entrepreneurs, not as criminal gangs. You can thank the Direct Marketing Association, the American Civil Liberties Union, and corrupt, stupid congresscritters like Zoe Lofgren for that.

And you can thank the US "news media" for spiking the story as systematically as they have blacked out anything in the Project Censored Yearbook.

Creating and using a bot-net is one of the most destructive computer crimes. A single bot-net operation can cause hundreds of millions of dollars of economic loss to consumers and businesses. Imagine if some criminal invented an automatic way to break into a hundred thousand people's cars and misuse them. Now imagine the DMA and the ACLU said that's okay, it's free speech!

Why is that so hard to understand? Because computers are "technical" and cars aren't?

This page is powered by Blogger. Isn't yours?