Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: T'is the season to be SPAMMY, trallalalaa la la la laaa - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
T'is the season to be SPAMMY, trallalalaa la la la laaa

As we count down towards the end of the year and the festive season for a considerable part of the planet, we've started seeing some small increases in SPAM on the system I look after.  The increases are smallish at the moment, but if the trend follows previous years General Mambuto has some extra cash to spend in your country, Sargent Jones has found some valuables which he is willing to share, Adobe has a new version out called 2011, likewise Skype apparently has a new version of their application also called 2011 (Thanks Dorothy for those last two).  In other words SPAMmers are getting ready for the festive season and have updated their SPAM to suit the season.

In the last week or so we've also started seeing some types of spam sneaking through what typically are very robust and accurate anti SPAM products. One of the reasons for this seems to be part of the various reputation filters used by a number of the products.  Reputation filters are used to determine what should be done with the message.  If the sender IP has a good reputation, then maybe there is no need to spend CPU cycles on anti SPAM or AV checks.  The problem with a few of the runs over the last week (and maybe this is just regional) is that all of them have been sent from systems that have very good reputations.  The products using reputation filters are delivering these messages because the score is high enough for the message to bypass the anti SPAM checks.   The messages I'm seeing are these pesky ones: 

I just earned $765 in three days doing simple tasks! I used - http://x.co/randslkdjs You will thank me for this! 

Sometimes it has a subject line. Sometimes not.  The link takes you to a tracker and then to a website for "home work" (read mule, I'm guessing).

The product update messages are typically along the lines of:

This is to notify/remind that a new version of 'insert product here' 2011
has new features. blah blah blah...
click here

The domain is typically something that has 2011 in the domain.  e.g. "official-skype-2011.com", or "adobe-2011-download.com", etc.

Over the next few weeks keep an eye on your SPAM filters and check what is getting through.  You may want to send your users a little reminder on what is going around this year.

If you have examples of things that are sneaking through your SPAM filters I'd appreciate the headers. 

Cheers

Mark H 

Mark

391 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!