McAfee report says: Spam e-mails killing the environment

While I can’t comment on the science behind McAfee’s study, if it’s to be believed, that would make Sendio the single most eco-friendly anti-spam product on the planet!

Hot off the digital presses… Spam e-mails killing the environment, McAfee report says

McAfee’s Avert Labs recently reported the significant impact that spam is having, not just on our inboxes, but on the environment. The novelty of this angle aside, shouldn’t people be asking themselves how is it possible this problem has been allowed to get so bad? Let’s assume we like the idea of elevating spam to a place where it is considered to be an environmental hazard (I think its even worse — more like an environmental disaster — but the promotion is long overdue), clearly the time has come to ask “who has been asleep at the switch?”

Back in the 1970’s it became obvious that air pollution was caused, to a large extent, by exhaust from automobiles and trucks. Once this fact had been established, the question became… “What are we going to do about it?” If air pollution had been addressed like email pollution, we would have simply trusted the auto manufacturers to make things better. In light of today’s study from McAfee, I think it is safe to say that anti-spam filters = auto manufacturers. While the automobile industry has certainly made great strides in the areas of fuel efficiency and emissions, they have never come close to getting ahead of the curve or actually fixing the problem.

Just like the US auto industry has failed to keep pace, from an innovation perspective, with their competitors around the globe, the developers of anti-spam filtering technologies have, obviously, failed to keep pace with spammers. As Albert Einstein said, “The definition of insanity is doing the same things, over and over again, expecting different results.” Like the US auto industry, the US anti-spam filtering industry is bloated, stuck in the past, is stagnant, and is losing the arms race to the bad guys.

Fortunately for us, the challenge to improve air quality was not simply “trusted,” or handed-over, to the auto industry alone. We realized that individuals needed to get involved. We, the people, needed to make changes to the way we did/do things. We came to understand that to help ourselves we needed to actively engage; not simply sit back and hope some passive system would make everything better.

The time has come, once and for all, for “we the people” to take a stand against spam! Clearly, the mammoth companies, like McAfee, Cisco, Symantec, Google, Barracuda Networks, etc., that make anti-spam filtering tools have failed to save our environment from this polluting scourge. If we, as individuals and collectively as businesses, don’t start looking beyond the status quo with respect to failed anti-spam filtering, we are not only going to loose e-mail as a tool, we are going to hasten the deterioration of our physical environment.

Sendio in the Boston Globe

Its not much, but we did get a mention in the Boston Globe…

http://www.boston.com/business/technology/articles/2009/04/11/filters_getting_better_at_blocking_spam/?page=2

Other companies, like Sendio Inc. in Irvine, Calif., and Spam Arrest LLC of Seattle, use a “challenge-response” technique. Send an e-mail to a challenge-response user and you’ll get an automated reply, asking you to type in some words or numbers. This will prove your e-mail came from a human being and not a spam-spewing computer. If you send the correct reply, all your future messages are delivered immediately, but spam messages can’t get through.

For the record… Sendio’s sender address verification technology (SAV), also know generically as challenge response, DOES NOT require anyone to “…type in some words or numbers.” Our technology requires a simple “REPLY & SEND.” and ONLY in the case where the sender is completely unknown to the intended recipient. For example, anyone I send an e-mail to is automatically added to my personal accept-list, thus, is NEVER subjected to the address verification process.

What’s up with “scareware?”

Fear is used, universally, as a means to control people. Governments use it. Large businesses use it. So it should come as no surprise to anyone that “cyber bad guys” us it. Why do they use fear… Because it is is effective!

I often ask myself who comes up with terms like “scareware?” Talk about a self-fulfilling prophecy.

“Scareware” is, at its core, a Trojan horse. In most cases, the “malicious security software” that plagues computers around the world is willingly installed by the victims themselves. The purveyors of these threats, in many cases, get their victims to pay for the software under the guise that it is, itself, software designed to protect the user.

The easiest and best way for people to avoid falling victim to these types of attacks/threats is to use common sense.

• Don’t install software unless you can verify its  source is legitimate and reputable.
• Before installing any new software on your computer,  make sure your anti-virus software is enabled and its definitions are  up-to-date.
• Whatever you do, don’t disable your anti-virus  software. No legitimate software should ever require such an action.
• Finally, before installing any new software, make sure  your important files have been backed-up to a location off your  computer.

In the end, even people who follow all the best security practices sometimes still get hurt by malicious software. However, by following the 4 steps mentioned above, your risk of getting burned is greatly reduced, and even if you do get burned, at least your will not loose your data.

Spam in the Neighborhood

Spam in the Neighborhood
http://securitywatch.eweek.com/spam/spam_in_the_neighborhood.html

“Among others, experts at messaging security vendor Sendio have called out the recent trend toward local spam campaigns. In a recent research summary, the company’s CTO, Tal Golan, highlighted the use of methods including the spoofing of local news events, and regional news portal domains, to convince people to click on the (frequently malware-infected) URLs that spammers are trying to pawn off on them.”

Google: Spammers Rally Back From McColo Shutdown

Google: Spammers Rally Back From McColo Shutdown

http://www.eweek.com/c/a/Security/Google-Spammers-Rally-Back-From-McColo-Shutdown-639980/

“Location-based spam is the latest technique being used by ‘bad guys’ to increase the likelihood that an unsuspecting victim will not only read their message, but will actually click one of the links in the message,” explained Tal Golan, CTO of e-mail security firm Sendio. “This new methodology is the next salvo in the spam arms race, but is really just an extension of the ‘social engineering’ threat vector that has become so popular and effective in the last three years.”

Location Based Spam

Location based spam is the latest technique being used by “bad guys” to increase the likelihood that an unsuspecting victim will not only read their message, but will actually click one of the links in the message. This new methodology is the next salvo in the spam arms race, but is really just an extension of the “social engineering” threat vector that has become so popular and effective in the last 3 years.

Here is how this works…

Thanks to IP addressed based geolocation (see http://en.wikipedia.org/wiki/Geolocation_software), it is a trivial exercise for a bad guy to determine, with a surprisingly high degree of accuracy, the physical location where a company or organization’s email server is hosted. With this information in hand, the spammer has enough information to design a targeted attack.

For example:

Let’s assume you work for Google. Using a simple IP check, the spammer can determine that one of Google’s email servers has the IP address 74.125.67.100. Thanks to IP based geolocation (http://www.ip2location.com/free.asp), the location of this IP address can easily be determined to be in Mountain View, CA.

Using this data, the spammer will then query the website of a local newspaper, in this case the San Jose Mercury News, and will pick a local “hot topic” headline to be used as the subject for the message.

Finally, the spammer will extract actual content from the news and will insert it into the spam message and will include links that appear to provide the recipient with more information about the topic, but are actually links to dangerous, threat laden web sites. Unfortunately, social engineered attacks, specifically those using location, are proving to be highly effective at soliciting the all important “click” from the unsuspecting victim.

At Sendio we have seen all types of social engineering based attacks increasing steadily. While it is difficult to determine exact figures, our best estimates place social engineered location-based attacks between 10% – 30% of all unsolicited email.

What effect did the November 2008 “McColo” shutdown have on spam (http://www.securityfocus.com/brief/855).

The McColo shut down had a measurable impact, but Sendio’s customers, the vast majority of whom are small, medium and large enterprises, did not see anywhere near as dramatic a change as the major free email providers (Gmail, Yahoo, AOL, MSN, etc.) The levels of spam/uce have, based on our estimates, moved beyond the level seen immediately prior to the McColo shutdown.

As we have seen over the course of the last 6+ years, the bad guys are extremely well organized, motivated, and appear to be well funded. Unfortunately, thanks to the reactive nature of the current status quo spam countermeasures, the arms race continues in favor of the bad guys.

Here comes “Conficker”

I just read the following article…

Computer Virus ‘Time Bomb’ Could Go Off April 1
http://www.foxnews.com/story/0,2933,510296,00.html

My thoughts…

The Internet is a dangerous place. It seems highly likely that “Conficker” is going to do something, and it should be of great concern to everyone, but particularly IT people, that we know about this worm, but still have no idea what it is designed to do. Talk about a weakness of the “filtering” mentality. Don’t forget… It is nearly impossible to filter for something that is not yet known.

With history as our guide, it is highly likely this worm will include an e-mail based component. The bad news for people who are protected by current anti-spam filtering technologies is that they will be left virtually naked until the worm actually starts working. Only then will the developers of the filters be able to design rule sets to deal with the worm. This is the definition of being reactive. In addition, once the rule sets are defined, they do no good until they are pushed out (deployed).

It would not surprise me if we saw an exponential increase in threat-laden email when this worm comes to life. However, I do not think the people that design these sorts of worms are targeting the email infrastructure. I believe email is used as a virtual “smoke screen” these days. This virtual “smoke screen” is used to mask the real targets of the worm or virus.

In Search of… A definition for e-mail spam

According to Wikipedia, e-mail spam is defined as follows:

“E-mail spam, also known as unsolicited bulk Email (UBE) or unsolicited commercial email (UCE), is the practice of sending unwanted e-mail messages, frequently with commercial content, in large quantities to an indiscriminate set of recipients. (http://en.wikipedia.org/wiki/Spam_(electronic)#E-mail_spam)”

This definition is okay, but is overly broad. I would like to propose the “Triangle of Spam” in an effort to more accurately define the problem.

Simply put, for any piece of e-mail to be considered “spam” it must be unsolicited, anonymous, and high volume. If any one (or more) of these characteristics is not met, the e-mail can be considered unwanted, but is not “spam.”

It is important to distinguish between “spam” and simply unwanted e-mail. For example, are “Lowest Fare” updates from United Airlines spam or, in my case, simply unwanted (I never fly United)? While I’m sure I did fly United at some point in the distant past, I certainly do not plan on flying United anytime soon. Technically speaking, United has the right, by virtue of our “previous business relationship,” to send me these updates. However, in my particular case, these are absolutely unwanted e-mails, but they cannot (or should not) be considered spam.

I am very interested to hear what other people think of the “Triangle of Spam.”

E-mail… By the people. For the people.

For e-mail to continue as the Internet’s “killer app” there is no question the issue of security, or with e-mail, the lack of security, needs to be addressed. The key to solving the security problem lies in the recognition that human interaction is a key component of the email process. I realize this seems obvious, but for some reason we have “missed the forest because of the trees” when it comes to e-mail security.

In the final analysis, no one is better to determine what email you want to receive than you. In addition, the concepts of privacy and security, though completely missing from email, have been incorporated into all modern communications tools. The best examples are Instant Messaging (IM) and social networks (Facebook, MySpace, LinkedIn, etc.). Simply put, if I want to add someone to my Facebook network, I need to ask for their specific permission. If I want to send someone an instant message using Gtalk, I need to ask for their specific permission before I am permitted to send even a single message; the exact same process applies to Yahoo, MSN, AOL, etc. Not to over simplify, but it would not be wrong to summarize that Sendio has succeeded at bringing email up to a level of security commensurate with other modern communications tools. Our “radical” improvement comes from our realization that human interaction is the lost key to safer, more secure and efficient email.

Does this “radical” thinking represent a paradigm shift?

The Sendio approach to email security is more a paradigm extension than a shift. We have all become very comfortable with caller-id on our cell phones and have embraced the verification steps required to participate in social networks. As demonstrated by the rapid adoption of Instant Messaging and SMS “texting,” it is clear that people have no problem with the concept of sender’s authenticating themselves; no one complains or worries about sender authentication for chat rooms or on-line forums. Therefore, we see little or no pushback when this level of security is added to email. I believe the challenge before us today is not shifting people’s paradigms, but helping them connect the dots. Because of email’s importance within the fabric of business it is no wonder that people are very “touchy” about the process. What we need to do is help people see that we have done nothing more, or less, than bringing email “up-to-speed” with current technologies.