Taking a cue from Morgan Spurlock who lived on fast food for 30 days in the Super Size Me documentary, McAfee gathered volunteers from around the world who would, for one hour a day, surf the Internet, signing up for various newsletters, filling in various forms. As they did so, the participants were asked to blog about their experiences.
On Tuesday, McAfee released the results of the experiment it called S.P.A.M., or Spammed Persistently All Month.
Over the course of the month, McAfee's test subjects accumulated 104,000 spam messages, or roughly 70 per day per recipient. Put another way, 87 percent of all the e-mail captured on the test laptops was considered to be spam. That isn't too surprising.
What is surprising, according to Dave Marcus, director of security research and communications for McAfee Avert Labs, is the amount of foreign language spam, with Germany and France having the highest percentage of local language spam.
Other findings include:
Men received more spam than women (76.6 per day vs. 60.6 per day).
The United States received more total spam, followed by Brazil and Italy.
Nigerian scam e-mails are more popular in the United Kingdom than in the United States.
What's also interesting, at least to me, is that the McAfee results were similar to results released by Symantec. McAfee used about 50 real-world participants while Symantec used its DeepThreat Network of thousands of computers worldwide.
You can hear more of Dave Marcus' observations on the McAfee results in this week's Security Bite's podcast.
Spammers will do just about anything to get their e-mail through corporate and desktop filters. According to MessageLabs, they're now using Google Docs, a perfectly legitimate way to publish to the Web. Only what they're publishing is the same old wares--this time, it's enhancement pills. This week I talked with Matt Sergeant, senior anti-spam technologist with MessageLabs, who told me how they they've tracking one Google Doc since May 8, 2008.
Later in the conversation, Sergeant talks about the resurgence of Storm. Only a few weeks ago, MessageLabs reported a notable decrease in computers infected with the Storm botnet.
Below is a transcript of part of my interview. The entire podcast can be heard here.
Matt Sergeant: What's happening with Google Docs is that Google Docs is a way to publish your documents online. So, for example, word processing documents and spreadsheets and so on, and much like if you were using Microsoft Word you can embed links within those documents. What this does for the spammers is it allows them to effectively publish online a Web page on hosting sites such as Google that has all the bandwidth in the world for hosting it, and it's also a Web site that is never going to get blacklisted by anyone because nobody would be stupid enough to blacklist Google. So in effect, for the spammers this is a human shield effect. They can host their information and links online on a very stable source of bandwidth and links, and not worry ever about it being taken down or blacklisted.
Me: When did you first see this happening?
Sergeant: The first one that we saw, which showed on our radar in extremely small numbers clearly as a test by the spammers, was on May the 8th. So I guess that's about two weeks ago now.
Me: Have you contacted Google?
Sergeant: We've contacted Google, and also there's a link at the bottom of each one of the documents that Google publishes online that says, "Report this as spam." We clicked that link and I imagine anyone else who got the e-mail clicked that link as well. Unfortunately, Google has proved themselves to be quite slow at tackling this kind of abuse. Weeks later this document is still available online despite the reporting as spam.
Me: When you say that Google has a history of this can you site another example in recent memory where they've been slow to act on spam like this?
Sergeant: Generally, yeah there's a couple of different issues that we see in spam with Google. The first and very obvious one is spam directly from Gmail accounts, often that's the Nigerian spammers who are sending out these offers of millions of dollars where there is in fact no money. By most people's standards, Google tends to be quite slow at shutting down those accounts, whether it be an account that's actually an e-mail or just a drop box account for people to reply to. So those accounts seem to stay active for longer than if they were being hosted somewhere else for example. The other thing we see with Google is redirector links, so they have these links on their Web site which allow anyone or just about, but obviously mostly the spammers to have a link that looks like it's going directly to Google, but in fact after you've visited Google it redirects you to the actual spammers Web site. These redirectors are quite common on loads and loads of Web sites out there, but obviously again they're gaining advantage from Google of all the bandwidth and unblock ability of the Google Web site.
Me: So give me an example of what we would see if we went to the spammers website, what sort of, where is it being hawked or Malware being served up.
Sergeant: In the example that we saw on May the 8th it was a very simple pills scam or a pills Web site. So the e-mail came in with a link to Google Docs and very little of a text in the e-mail itself. They're very hard to block because there was very little to go on regarding the contents of it. When you went to the Google Docs Web site you saw much more information about the pills available for sale and the prices and so on, and almost every bit of text within that was a link which took you to the spammers drop Web site, which is where you would actually go if you wanted to purchase some of those pills.
Spammers are going legit, and they're using Yahoo e-mail authentication servers to do it, said Mark Sunner, chief security analyst with MessageLabs.
Most people use the Web interface for Yahoo Mail, which attaches a banner of advertising on the e-mail somewhere within the message. Yahoo also provides a service, Yahoo Plus, that allows the sender to use SMTP and traditional e-mail clients such as Outlook Express or Thunderbird. Mail sent via SMTP passes through Yahoo's servers, signing the mail as legit using the Yahoo Domain Keys Identified Mail (DKIM) service.
What this does is strip out the usual Yahoo advertising banners and help validate the mail as legitimate to escape most spam filters. MessageLabs found that anyone with a standard Yahoo account can also authenticate to the Yahoo Plus servers and send mail, without necessarily paying for the premium service. Sunner said in a interview with CNET News.com that this isn't a flaw; it appears that's just how the Yahoo service was designed.
In April, MessageLabs found that around 1,127 unique Yahoo user IDs were used in the distribution of this new kind of spam over 28 days. Sunner said around 40 new IDs per day are being generated, with the IDs not being shared between different infected computers.
Further, says Sunner, the Yahoo! accounts used--all from the same domain of @yahoo.co.uk--appear to have been automatically generated. That implies that the criminal hackers have somehow defeated the Yahoo CAPTCHA mechanism.
Details of this new spam campaign can be found in the April MessageLabs Intelligent Report (PDF).
Spam now accounts for 78.5 percent of all e-mail traffic, according to a new report from Symantec. That's up from previous months. And Europe, not the United States, can now claim to be the source of most spam.
Other notable points culled from the "State of Spam" report for February 2008 (PDF) include:
- There was an appreciable decline of image spam during January 2008.
- The overall file size of spam messages has also decreased.
- Product spam, the largest category, makes up 28 percent of all spam.
- Internet Web hosting and Web design spam makes up 23 percent.
- Financial spam is in third place at 12 percent.
- However, health-related spam (those Viagra e-mails) only make up a mere 6 percent.
On Wednesday, the Danish security company BullGuard announced it will offer its spam filter product as a free download. The BullGuard Spamfilter (download) integrates with Microsoft Outlook, Outlook Express, Windows Mail, and Mozilla Thunderbird e-mail clients. It runs on Windows 2000, XP, and Vista.
The BullGuard product relies upon fellow users to identify spam; once e-mail is marked as spam, all other Spamfilter users will no longer receive that e-mail in their in-boxes. It will be available within the spam folder instead.
According to Google's Postini, 2007 saw record spam levels, with as much as 90 percent of all e-mail traffic being unsolicited spam.
In addition to providing the free software, BullGuard is also offering Spamfilter users free, live 24-7 technical support.
- prev
- 1
- next
