Slashdot Mirror

This doesn't surprise me since services like CastleCops, which were a serious pain in the ass for spammers, were closed down due to lack of funding and massive DDOS attacks they could not withstand with their budgets.

The big ones do not care - I've tried to get Google interested in cooperating with CastleCops (to receive sample spam message feeds), but they saw no business case in that for them.

Now the GMail accounts are getting more and more spam that passes Google's filters and there seems to be no hope of improvement in the near future.

Well false positives could be minimized by applying some sort of "tenure score" to all GMail accounts - the older an account and the more legitimate mail it has emitted, the more trustworthy it is and this contributes to a "whitelist" score on the filters (both outgoing and internal GMail -> GMail).

Recently created "throw-away" accounts would start with a low score and their outgoing mail would be much more likely to trigger blocking, provided that it also scores on some spam characteristics. I think that legal initial activity on webmail accounts can be identified and contribute to whitelisting too - after all, users often send "test" messages to their other accounts or their friends after they open a new account. While the spammers go right to mass sending.

Which gives me another idea. I understand that the spammers make a large number of new accounts and not necessarily send large amounts of messages from a single one. However, they probably send massive amounts of nearly identical messages from different throw away accounts. I think that GMail could try to correlate this data (e.g. using some message fingerprinting tehchniques similar to Pyzor/Vipul's Razor) and identify not single accounts that send out spam, but entire spam account clusters operated by single spammers at once!

Heck, this could be improved even further by buffering suspect outgoing messages and delaying sending them to external systems a couple of seconds (e.g. half a minute) in order to try to detect whether they are more of them coming from other accounts as a part of larger campaign. The system could hash, group, count and sum their amounts to decide whether this is actually a spam mass mailing. It would then bounce them, then start refusing to accept everything that looks the same, right at the sender (in the initial SMTP session from the MUA or in the web UI). This way some spam would not only be identified, but successfully learnt automatically by the whole system, and rejected from now on.

Of course, not working at Google, I can only speculate, they probably are doing all this, yet still it's not enough.

Well, they could try cooperating with some spam-fighting and anti-phishing communities (like the underfunded, yet still effective "pain in the phishers' ass" CastleCops). Actually, I've suggested this to a colleague who works at Google and he suggested that to someone else, but it seems the idea didn't catch on then. Maybe Google should realize by now that even they cannot beat the spam problem all by themselves?

There are lots of ideas I think that would make GMail's spam filters much more effective. After all, being such an integrated service and having such an efficient infrastructure, they have lots of useful data and mechanisms at their disposal.

I was just speaking with Mark Causa, a forums admin of his, this weekend in fact!

(Kevin Hazard's their "SUPER ADMIN" in fact).

(It was in regards to a "IPS Driver Error" I was CONSTANTLY seeing on a posting of mine there, in an attempt to update/edit it, on THEPLANET's forums (in regards to securing Windows))...

WoW! I was trying to point them to security issues too... & they were VERY helpful guys too, trying to help ME out (& going overboard imo in some ways)

I was also today, in fact, prior to seeing this - going to note they were being listed as a site that had problems with hacker/cracker types abusing them as well, per one of these sites:

http://www.castlecops.com/

http://mtc.sri.com/

http://www.spamhaus.org/sbl/latest.lasso

http://www.phishtank.com/

(or, one of the numerous others I look @ daily, like SANS, PacketStorm, etc.)

They were listing theplanet as being abused etc. the past few weeks now in fact, by hacker/cracker/spammer types.

APK

P.S.=> I doubt this is due to "hacker/crackers" though, personally... just bad setup in the server room! apk

It's the registrars who have the power to knock hundreds - even thousands - of spam sites off their perches in one shot, and in response to one complaint. You can see its success rate there.

The real puzzle for me is *why* they haven't fixed the overwrite (unless it's a deliberate way of slowing growth).

Andy

I agree with you.... In fact I just posted here and asked this question:

If people would start making an effort to use common sense in web surfing, would the need for an anti-virus disappear? Or is more practical to run an imperfect, bogged-down piece of security software (that really doesn't work too well, judging by my survey of people's computers) so that people can surf without thinking?

I skip AdBlock Plus and instead use Proxomitron with the jd5000 filter set. The author of Proxomitron died back in 2004, and the website for jd5000 appears to have expired, but this page seems to be current. Proxomitron not only blocks ads, but also selectively mangles a lot of obnoxious javascript.

"In January of 2003, SCADA system computers infected with the Slammer worm caused a blackout at the Davis-Besse power plant in Ohio", Forbes

'The Slammer worm penetrated a private computer network at Ohio's Davis-Besse nuclear power plant in January and disabled a safety monitoring system for nearly five hours '

"Seven months later, another computer virus was widely suspected of preventing the detection of power loss at a plant providing electricity to parts of New York State", Forbes

'TRANSCRIPTS of telephone conversations between utility operators prior to last month's power blackout in the US and Canada '

"Seven months later, another computer virus was widely suspected by security researchers of leading to a power loss at a plant providing electricity to parts of New York State, despite the Nuclear Regulatory Commission's argument that no evidence of virus-involvement was found"

'The task force responsible for investigating the cause of the Aug. 14 blackout that crippled most of the Northeast corridor of the U.S. and parts of Canada concluded that a software failure at FirstEnergy Corp. may have contributed significantly to the outage'

'On the day of the blackout, Blaster degraded the performance of several communications lines linking key data centers used by utility companies to manage the power grid, the sources confirmed'

It seems the blacklist would work perfectly if nationalcity.com.userpro.io, or just userpro.io was blocked.

Notice that they're using "userpro.tw" and "directories.io" as well. And "prouserbase.tw", "udll.tw", "usersetup.io", "kloot.hk", and more. That phish operation has a domain farm with hundreds of domains known, and probably many more that haven't been reported yet.

CastleCops identifies this as a botnet. One that buys domains with stolen credit card numbers.

I'll grant you that it seems unlikely today that Microsoft won't be there in a few years, but will they activate an XP installation?

Actually the matrix thing was cool because it was an actual hack (real tools, real commands, etc).

http://www.castlecops.com/pirt

"PIRT Squad Fried Phish(TM) Phishing Incident Reporting and Termination (PIRT) Squad

A global phishing termination operation launched by CastleCops and Sunbelt Software, the volunteer PIRT Squad is comprised of folks who report phish, investigate phish, and actively work on phish takedown and termination (original concept by Robin Laudanski). PIRT is funded by CastleCops. Become a PIRT Squad terminator by reporting phish today!"

Quick guide to SpamCop Quick Reporting

There is a good description of the process for setting up Quick Reporting in SpamCop, and the Pro's and Con's, at the CastleCops site.

http://castlecops.com/postitle156112-0-0-.html c/o digg.com

Some folks have decided to continue where blue security left off - apparently they recently also got the source code (and presumably best wishes) from blue

Accorging to this the blue frog model will be open sourced as a peer-to-peer model available through sourceforge.net.

Terry Bowden, from CastleCops warned: My urgent recommendation. Remove the Blue Frog Application NOW. We have witnessed the destruction of Blue Security from a wave of different attacks. First the spam wave, second the DDOS wave. There is a strong reason to believe that the third wave takes control of the frog to launch both spam attacks and DDOS attacks. http://castlecops.com/modules.php?name=Forums&file =viewtopic&p=768501/

This ferocious attack on Blue Security as well as Typepad and TUCOWS is proof that Blue Security's tactics are working. Spammers are scared to death of Blue Frog because it forces them to comply with the spirit of CANSPAM (since it is worthless in practise). They are so desperate that they are damaging the internet backbone to slightly increase the limited time that spam will be profitable.

Do not listen to FUD-spreading ignoramuses who will no doubt leave many /. comments urging you to stay away from Blue Frog. Spammers do not have Blue Security's member lists - they are simply DIFFing their entire lists with the opt-outs sent by Blue Frog and sharing their filters with the "mailer community". Yes, some members (not me) have been threatened with, and temporarily recieved, more spam. However, this can't last since spammers who do this are simply fighting fire with gasoline! The more spam Blue Frog users get, the more opt-outs the spammer and client recieve which costs them time and money! Plus, regarding threats to leave Blue Frog, does it make sense that a spammer would remove ANY working email address for ANY reason?

Who do you trust to solve your spam problem? Microsoft? Your government? If they really cared, wouldn't the problem have have been solved long before spam encompassed 90% of all email? Blue Security offers a realistic, fair, assertive, and EFFECTIVE means of hitting spammers where it hurts - in the database and in the pocketbook. They need your help to make spam an unprofitable, inconvenient vehicle for advertisers.

I urge each and every /.er to sign up for a Blue Frog account RIGHT NOW (or whenever they're not getting DOSed) and simply forward your spam to yourusername@reports.bluesecurity.com. You can wait a day or two and send many spams as attachments in one email, or you can let the resident client do it for you. It's so easy and the headlines prove that it really does make a difference.

Spammers are childishly thrashing around the internet like a bull in a china shop, having a flailing temper tantrum because people dare to stand up for their privacy. It is the duty of /.ers, as an informed userbase, to stand up for those internet users who don't know how to stand up for themselves.

We have the numbers and the motivation. Aren't you sick and tired of these rich criminals wasting our time, defrauding our elders, and endangering our children day after day? If we stand together, just as the spammers stand together to attack Blue Security, then we WILL win.

Sign up for a Blue Frog account ASAP and encourage your friends and family to do the same, as I have. And if you think it's possible to reason with spammers, check out this CastleCops forum thread that shows inside conversations from a spammer message board.

The US government has a long history of supporting anonymous proxy. They opened up one many years back and ran it for a while. It shut down. We found out it was CIA ran I believe, and they then went after child porn abusers.

I forget the name of the website they used. It has been years ago.
I think this article is what I am talking about;
http://groups.google.com/group/alt.fan.jai-maharaj /browse_frm/thread/b8c7111cec05014a/347138f9f5be3c e2?lnk=st&q=anonymous+web+sting+internet&rnum=6&hl =en#347138f9f5be3ce2

Read that article all the way through. Now read what they are doing today. They are up to the same tricks.

Articles of US supporting anonymous proxy;
http://www.theregister.co.uk/2003/08/29/us_sponsor s_anonymiser_if_you/

Read what this says about that service;
http://www.infoanarchy.org/wiki/index.php/Anonymit y

Other articles of what they do;
http://castlecops.com/a4498-Police_to_Launch_Inter national_Cyber_Child_Porn_Sting.html

I have children. I am in no way supporting any of these illegal activitys. My concern is that the US is looking more and more like the USSR looked in the 80's. And my public education taught me to despise a country where you had to have your papers with you at all times, a country where you had to be carefull what you said because you may get reported and taken away to far away prisons where you had no trial.

Doesn't that sound like where President Bush is leading us? And I voted for him twice. Thank God he can't be re-elected. Things will get better.

In this case, anti-virus software found it. This was posted on August, a bit before Mark posted his article. http://castlecops.com/postp611852.html

You should use a browser-independent proxy filter like Privoxy or Proxomitron (on Windows), with the JD5000 filter set, as it is a client-side HTTP proxy and will work well with any browser.

From:
HERE

"ABOUT THE AUTHOR:
Jonathan A. Zdziarski has been fighting spam for eight years, and has spent a significant portion of the past two years working on the next generation spam filter DSPAM. His research in algorithmic theory and neural networking has led to the development of many new approaches in language classification, and he has played a key role in designing some popular algorithms in use today, including Message Inoculation, Bayesian Noise Reduction, and the first functional Neural Networking algorithm for spam filters. Zdziarski lectures widely on the topic of spam and was a speaker at the 2004 and 2005 MIT Spam Conference.
"

microsoft's freakin' tool gets pushed at you every time you visit windows update.

MS has, for all intents and purposes bundled their anti-spyware tool with windows.

The point is that the integrity of the tool is being compromised by MS's business decisions and not by any legitimate criteria.

Not like Ad-Aware is immune to criticism

TIAA-CREF

CALIFORNIA STATE TEACHERS RET SYS

NEW YORK ST TCHR RTRMT

I know how people hate to hear this, but if you don't commit the crime, you won't be hunted down.

Stop and think for a moment about your statement. You know that people hate to hear this. Did you ever wonder _why_? It's for the same reason that people hate the phrase "innocent people have nothing to fear from the police".

Police make mistakes; innocent people have served time. The police at least try their best to acertain guilt.

The MPAA/RIAA make no such attempts. They have filed suits against dead people, much less innocent ones. A lawsuit that goes to court at all already amounts to complete financial ruin for most people, regardless of the final verdict. Now you can go to jail for the crime of not being able to afford to fight your case in court.

The most amusing thing about all of this is that these infringements are already covered by copyright law. This legislation has no reason to exist other than as a scare tactic. It would have been cheaper (senators are expensive, after all) and probably more effective to put up posters saying "Don't share pre-releases or we'll send Guido over to break your kneecaps."

For adblocking, you should try Proxomitron. I've found this to be a god-send for browsing - blocks ads, popups, etc, etc. Plus, the blocklists are constantly being updated by dedicated users, and can be found at CastleCops. For Linux, try Privoxy.

Have a look here:

http://castlecops.com/postt79253.html

Proxomitron the APP isn't being developed, but that's because the author died a couple of years ago. There are moves to remake it in open source:

http://proximodo.sourceforge.net/

However, none of that is the point.

Think of Proxomitron as an underlying technology which doesn't alter.

What alters is the filtersets, and those are bang up to date and constantly being refined.

So download Proxomitron, install a current filterset, and enjoy the web without all the crud from here on in.

Don't use the standard Proxomitron filter set. I recommend using Grypen or JD5000 alpha here.

Contradicting the article's claim that the industry isn't standing up to these guys, it's nice to see that CastleCops have themselves retained council, and their rebuttal http://castlecops.com/article-5765-nested-0-0.html doesn't pull any punches.