Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spam Hits Its Highest Level Since 2010 (networkworld.com)

Posted by EditorDavid on from the click-here-for-details dept.

Long-time Slashdot reader coondoggie quotes Network World: Spam is back in a big way -- levels that have not been seen since 2010 in fact. That's according to a blog post from Cisco Talos that stated the main culprit of the increase is largely the handiwork of the Necurs botnet... "Many of the host IPs sending Necurs' spam have been infected for more than two years.

"To help keep the full scope of the botnet hidden, Necurs will only send spam from a subset of its minions... This greatly complicates the job of security personnel who respond to spam attacks, because while they may believe the offending host was subsequently found and cleaned up, the reality is that the miscreants behind Necurs are just biding their time, and suddenly the spam starts all over again."
Before this year, the SpamCop Block List was under 200,000 IP addresses, but surged to over 450,000 addresses by the end of August. Interestingly, Proofpoint reported that between June and July, Donald Trump's name appeared in 169 times more spam emails than Hillary Clinton's.

47 comments

  1. Perhaps more likely to click by dmewhort · · Score: 1

    Given that it takes such a low takeup rate to make spam profitable, perhaps there is a slightly larger chance that a Trump supporter would click through and they are upping their profits that way.

    1. Re:Perhaps more likely to click by plover · · Score: 2

      Proofpoint is studying election related phishing attacks, not generic spam. The ratio may be an indicator that the attackers expect Trump supporters to be far more gullible than Clinton supporters.

      --
      John
    2. Re: Perhaps more likely to click by Anonymous Coward · · Score: 1

      I figured it was because few really care what Clinton has to say while many wonder who is going to be offended by something Trump said now.

    3. Re:Perhaps more likely to click by Anonymous Coward · · Score: 0

      "The ratio may be an indicator that the attackers expect Trump supporters to be far more gullible than Clinton supporters."
      There is certainly that, and the fact of course that Necurs only infects Windows machines...
      A Two-For-One Sucker Punch.

    4. Re:Perhaps more likely to click by Anonymous Coward · · Score: 0

      Of course. Drumpf supporters are demonstrably idiots, they'd certainly be far more susceptible to buying things from spam.

    5. Re:Perhaps more likely to click by GrandCow · · Score: 1

      Not that I am pro-Trump, but just because his name is in the email doesn't mean it's a Trump supporting email. It could just as easily be anti-Trump spam.

      --
      "Well kids, you tried your best, and you failed. The lesson is, never try." -Homer Simpson
  2. Trump & spam by Zocalo · · Score: 2

    Donald Trump's name appeared in 169 times more spam emails than Hillary Clinton's.

    Can't say I'm at all surprised by that. I've been getting a steady stream of what appear to be genuine emails from the Trump campaign (all the links are to legit Trump and GOP domains, plus a few MSM ones) asking for donations for a few weeks now. There's a whole bunch of problems with that, other than it being UBE - I'm a British citizen so I don't think Trump can legally accept my donation anyway; several of the domains involved are within the .uk ccTLD; and the addresses concerned are all (and always have been) spam traps. And yes, I have been forwarding them all to the FEC.

    Seriously, Donald, if you're going to let your campaign team buy email lists from who-knows-where and spam the shit out of them, they could at least do some basic list washing first - it's starting to look like Hillary isn't the only one with an incompetent email admin team...

    --
    UNIX? They're not even circumcised! Savages!
    1. Re:Trump & spam by Tehrasha · · Score: 1
      Sounds likes someone signed you up to a political list.

      The amount of legitimate political email I have received this season is ZERO.

    2. Re:Trump & spam by tomhath · · Score: 1

      The spam isn't coming from either candidate's team. They're phishing attacks.

    3. Re:Trump & spam by ShanghaiBill · · Score: 1

      The spam isn't coming from either candidate's team. They're phishing attacks.

      ... and the reason they mention Trump is as a dumbness filter.

      Did you know that most "Nigerian" spam doesn't actually come from Nigeria? The reason the spammers mention Nigeria is to make it so obvious that it is fraud that only the stupidest of the stupid respond. If they sucker in someone with half a brain, then it is likely that person will eventually suspect something and balk at wiring the money, thus wasting their time. So they only want people with no sense at all.

      Trump supporters have already shown themselves to be easily conned, and incapable of rational thinking, so they should be relatively easy marks for scammers.

    4. Re:Trump & spam by ShanghaiBill · · Score: 1

      Did you know that most "Nigerian" spam doesn't actually come from Nigeria?

      Here is an article that explains the strategy of making spam look like obvious spam. Not only do spammers explicitly mention Nigeria, they also intentionally use bad spelling and bizarre capitalization. All this is designed to weed out sensible people, so they can focus their efforts on only the most credulous respondents.

      For spammers, "Trump" is the new Nigeria.

    5. Re:Trump & spam by Zocalo · · Score: 2

      I'm sure there's a lot of election related phishing out there too, and I've got lots of examples of that too, but as I noted all of this is pointed entirely at genuine Trump/GOP domains with a few MSM ones thrown in for citations; it's almost certainly genuine campaign spam from Trump or one of his supporters acting (possibly independently) on his behalf - there are no dodgy domains at all (unless you want to count Fox News), including in the mail headers, which are from a legit ESP. They're also hitting spamtraps that go back years (some were only ever seeded on Usenet over a decade ago) so either someone in Trump's campaign, officially or otherwise, has been buying really low quality mailing lists, or someone has fed them a bunch of email addresses from them.

      --
      UNIX? They're not even circumcised! Savages!
    6. Re: Trump & spam by Anonymous Coward · · Score: 0

      Not necessarily. Trump's campaign has been caught soliciting via emails to foreign government officials which is highly illegal. Someone in Trump's campaign isn't scrubbing their email list to only US addresses.

  3. Let's have some fun by whoever57 · · Score: 1
    Let's have some fun with this statement:

    Proofpoint reported that between June and July, Donald Trump's name appeared in 169 times more spam emails than Hillary Clinton's.

    Possible causes:

    Spammers think Trump supporters more likely to fall for scam?

    Trump actually spamming?

    Clinton spamming and using Trump name in spam to alienate possible voters?

    --
    The real "Libtards" are the Libertarians!
    1. Re:Let's have some fun by Tehrasha · · Score: 1

      Clickbait. I have seen several spams with a subject line similar to 'Did Donald Trump just win the election?' with a payload that contains absolutely zero content associated with the subject.

    2. Re:Let's have some fun by Anonymous Coward · · Score: 0

      4) Spanners conclude (based on earlier attempts) that there is no enthusiasm for Clinton

  4. let me paraphrase... by Anonymous Coward · · Score: 0

    This greatly complicates the job of security personnel who respond to spam attacks, because while they may believe the offending host was subsequently found and cleaned up, the reality is that the miscreants behind Necurs are just biding their time, and suddenly the spam starts all over again."

    Where can I buy one of those fun "jump to conclusions" home games? This summary boils down to "people society thought were smart, and talked like they were smart, actually weren't smart". Hire new security professionals that don't jump to conclusions so quickly. That sounds like step number one.

    The real question is what percentage of those offending hosts had ISPs that (a) were notified of malicious traffic emminating from their networks, and (b) notified the subscriber/owner-of-the-host-in-question. I'm guessing the percentage is real fucking low. That is the real problem. The right solution further involves the ISP requring that the subscriber explain to them how they fixed the problem in order to justify re-activating their access. Do the math, do the work, put in the elbow grease. There are no magic short cuts.

  5. Could this be FUD? by swell · · Score: 1

    I don't believe there's an increase. My ten plus mailboxes get a total of 10 spams per week. Same or less than they got in the last century. Of the 10 spams, roughly 2 are from an annoying friend, 2 are from Trump affiliates, 2 have Chinese looking script, 3 are from small businesses. Most are the result of legitimate attempts to communicate but a typo in the address got me involved.

    If I owned an internet security business, I suppose I'd want people panicking about spam or viruses. Could this be FUD?

    --
    ...omphaloskepsis often...
    1. Re:Could this be FUD? by jtownatpunk.net · · Score: 1

      You don't see it because the spam gets filtered, not because the spam doesn't exist. And most of it doesn't even make it to your spam folder these days. It gets filtered at the edge before it even comes into you mail system. But I shouldn't have to explain that to someone with a ID lower than mine. Come on.

    2. Re:Could this be FUD? by Zocalo · · Score: 1

      Most people don't get an unfiltered email feed any more; your ISP or webmail provider will be rejecting or dumping a lot of the more obvious junk long before it even comes close your spam folder, let alone your inbox, so unless you are running your own mail server and can see all the inbound email unfiltered and are monitoring SMTP rejects it's much harder to tell. Cisco Talos is essentially going to be using the SpamCop feed and traps to make their assessments, so they have access to a *lot* of "raw" SMTP traffic on which to base their judgement. I only run a relatively small number of spam traps to get some spam for teaching Bayes because my MTA level filtering blocks out upwards of 90% of the crap before it even gets to SpamAssassin so there's a larger margin of error and not the >100% rise Talos is seeing, but even so I'm seeing a sharp uptick in volume and a lot more port scanning for SMTP servers than has been the case for quite some time.

      --
      UNIX? They're not even circumcised! Savages!
    3. Re:Could this be FUD? by Anonymous Coward · · Score: 0

      > I don't believe there's an increase.

      I tend to agree. Part of my job is maintaining the spam filtering relay at a medium size business and I haven't seen any increase in spam volume.

    4. Re:Could this be FUD? by Anonymous Coward · · Score: 0

      Can't speak for the "Swell" person you are replying to, but I disable all spam filtering at my IMAP provider, who is not my ISP, and still get no spam.

      Of course, I don't do anything too dumb with my address. If I need to sign up for something, I use a throwaway and delete it after. My main email gets no spam because I only give it to family/friends. Accounts that would get spam get deleted right after I used them for whatever I needed it for. I've seen spams on those if I don't delete them soon enough. I thought that throwaways would be common practice in 2016, so spam would be not seen by too many people anymore. Those half billion yahoo accounts had to be SOMETHING :D

    5. Re: Could this be FUD? by Anonymous Coward · · Score: 0

      There has definitely been an increase. I think a big part of the problem is the expected aftermath of TLD expansions. TLDs like .science and .click seem to exist soley for spam. Its easy to block entire TLDs, but the definitely come in cycles where new ones show up that i had no dea existed.

    6. Re:Could this be FUD? by Anonymous Coward · · Score: 0

      Most of the spam I get comes from family/friends who have their address book harvested. I've gone months without spam only to start receiving near identical spam emails after sending an email to a contact.

      It doesn't matter how clean you keep your aliases, if you are sending and receiving email with somebody who has their address book scraped then you *will* receive spam.

    7. Re:Could this be FUD? by Anonymous Coward · · Score: 0

      No, there's definitely an increase... I see tickets for issues with spam all the time as I work in Support for an email security company.

    8. Re:Could this be FUD? by lawaetf1 · · Score: 1

      Could you share some of your MTA rules? I run just vanilla spamassassin (latest version) and I am finding it has become borderline useless.

      --
      CommentBot 0.7a running with args "-module irritate,disagree -target random"
    9. Re:Could this be FUD? by g2255691 · · Score: 1
      No its not. This is very true and happening a LOT. I run Sendmail ( a mail server, also known as MTA) on a fairly busy mail service and have ended up using Barracuda Spam Control - https://login.barracudanetwork... to manage the insane amount of spam and virus attacks (PDF files) that I recieved just in the last few years. We had upwards of 400,000 emails an hour full of PDF laden viruses just last week...

      This is a real time graphs of attacks and mails to our Barracuda Gateway to give you an idea:

      ** You can see countries from where attacks are coming and a little snapshot of mail volume **.

      http://prntscr.com/cmc1wx

      When the mail does hit our MTA, running sendmail; we run it through SA -- which also updates itself automatically (via cron) **sa-update **.

      Some imporant notes:

      1) You DO need clamav or else spam will the last of your worries....(Also note that clamav is a memory beast). You can also use Symatec but I have completely moved from them to ESET (Desktop) and ClamAV + Barracuda for rest.

      2) RBLS: we use these:

      FEATURE(dnsbl,`blackholes.mail-abuse.org', ` Mail from $&{client_addr} rejected; see http://mail-abuse.org/cgi-bin/... {client_addr}')dnl FEATURE(dnsbl,`dialups.mail-abuse.org', ` Mail from dial-up rejected; see http://mail-abuse.org/dul/endu... FEATURE(dnsbl,`zen.spamhaus.org', ` Mail from zen rejected; see https://www.spamhaus.org/zen/'...

      3) Also note, that we dont listen on IPv6 even though we serve content on http. The reason (as being discussed in postfix-users (a mailing list for one the more popular mail servers) is exactly this problem. The increase of IoT devices and proliferation of IPv6 makes is next to impossible to now scan from IPv6 hosts. So as such, we dont. Although Google, Microsoft internall uses IPv6 to route emails.

      4) I do not work for Barracuda.

      5) Dyn's transactional email delivery option is really good. And so is Office 365 relay via their MTA (which also adds dkim signatures) and mostly would mean your mail would be delivered.

      Please leave a message here if you want me to look at it.

    10. Re:Could this be FUD? by tijgertje · · Score: 1

      Even with spam filtering off on your account
      If the host does SPF-checks (https://en.wikipedia.org/wiki/Sender_Policy_Framework) (most likely) they will filter out 80% of all spam before it even sees a spamfilter.

  6. Is it really spam? Or viruses? by ShaunC · · Score: 1

    The graph of subject lines caught my eye while looking at the Talos report. In my own experience, the recent floods of mail with subjects like "Budget report," "Tax invoice," "Scanned document," etc. all arrive with some Windows ransomware variant attached. Not sure I'd really call these spam in the traditional sense. They're unsolicited, of course, but they aren't commercial in nature.

    That aside, I do see an upward trend in UCE. The biggest offenders for me lately are of the boner pill variety, PurpleRhino and Vydox specifically. I'm seeing dozens of these a day to one particular address.

    --
    Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
  7. It's not my email that's getting spam-bombed by Applehu+Akbar · · Score: 1

    Spam filtering on my email is working normally and I'm getting the normal amount of both false-negative (spam that gets through) and false-positive filtering (travel confirmations and bank notices that fall into my spam folder). Now it's the landline that has been spammed out to the extent that we leave it unplugged most of the time. And yes, this year most of it is political.

    Nomorobo.com can save your landline, but it only works for certain carriers.

  8. Suing spammers. by Anonymous Coward · · Score: 0

    It's illegal to send spam. You can sue spammers for the spam they send, considering they are sending evidence of the crime. The law says you can win about $1000 dollars per spam, but usually spammers will settle for a 1/4 of that. I'm not a lawyer, but I do know one that made me as much as I made in a year as a software engineer and all I had to do was give him the password to an old email account.

  9. not surprised by TFlan91 · · Score: 1

    and over that same amount of time we've seen the same increase in VPS's, VM's and personal desktops, thus more targets for bot nets.

    not surprised...

  10. SPAM was solved right? by zbaron · · Score: 1

    Spam Will Be 'Solved' In 2 Years -- Bill Gates, 2004

    If only he'd put a number on a maximum number of emails sent per spammer. 640,000 SPAMs should be enough for anyone!

    1. Re:SPAM was solved right? by nukenerd · · Score: 1

      Funny that on the page you linked there is a pop-up asking for my email address, for no stated reason.

    2. Re:SPAM was solved right? by Not-a-Neg · · Score: 1

      People weren't willing to pay a penny to send e-mail: https://www.cnet.com/forums/di...

      --
      -==- Buy a Mac and leave me alone!
  11. And much of it can be easily blocked by the MTA by Megane · · Score: 1

    Apparently due to the need for cheap domain names, spammers are running their outbound mail configured with cheap TLDs. I suppose they are doing this so that they can have an actual domain name that resolves properly because it's too easy to block an invalid domain name?

    Whatever the reason, if you run your own inbound MTA, a lot of spam can be blocked by simply setting it to discard any mail from these sleazy TLDs, before even reaching the point of doing blackhole list lookup. The worst ones these days are .top and .stream, because apparently you can get a domain for $0.88/mo. Sure, spam still comes in from pwned computers, but a surprising amount comes in from IPs with properly resolving A records, and a surprising amount of that spam comes from TLDs that no sane person would be sending mail from.

    So I guess some good did come out of ICANN getting greedy with selling all those new TLDs after all.

    --
    #naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
  12. Coincidentally... by Anonymous Coward · · Score: 0

    This new high intersects with the explosive increase in "sign up for our newsletter" bullshit you find on virtually any site these days.

  13. Political spam != spam by BringsApples · · Score: 1

    It's not spam if it's political, it's just politics. Politics is in itself, pure bullshit, concealed with ...whatever it takes. In this case, emails.

    --
    Politics; n. : A religion whereby man is god.
  14. Spam and Eggs by Anonymous Coward · · Score: 0

    When these people are caught they should just torture them to death, preferably on live PPV.

  15. Live and let spam is EVIL by shanen · · Score: 2

    Do we need to rehash the reasons why? You might not have any sympathy for the suckers, or you might not care about attacks on corporate reputations and customers. You might not have any children for the spammers to target, but in that case I think I should extend my sympathies. You don't care about false positives that lose your actual email and you think your time spent with false negatives is too small to matter (and don't care about the multiplication of that time by the millions). You're still getting victimized by the general inefficiency the spammers impose on everyone. Or perhaps worst of all, the basic spammers create noise that helps mask the serious threats of the serious scammers, such as spear-phishermen and identity thieves.

    It seems like all of the big email providers have adopted the motto of "Live and Let Spam." Obviously didn't work for Yahoo, did it? Whatever Microsoft paid for the Hotmail brand must have been written off for similar reasons. The google is the saddest case of all, but perhaps that was just the generalized result of dropping "Don't be evil" in favor of "All your attention are belong to us." Anyway, at this point I monitor all three and Gmail clearly has the worst filters, both for false positives and false negatives and for feebleness of their countermeasures. Proof? In the preferences of the spammers themselves, blessing Gmail with the most spam of all.

    Doesn't have to be that way. The rational spammers do have economic models that could be attacked. Dropboxes can be nuked and external email services that provide the dropboxes can be pressured. Link shorteners can be subverted against the spammers. Lots of other countermeasures are possible, but the google don't care (and Yahoo can't afford to care and who cares about Outlook).

    *sigh* Just venting again, but I really wish someone provided a really good email system, one with tools that would let me help fight the spammers. Why not convert some of the universal hatred of spammers into positive sentiments towards an email system that scares the spammers?

    --
    Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
  16. Why Political by Grady+Martin · · Score: 0

    There was no need to attempt to put a political spin on at the end. It was an interesting story without it.

  17. Seen it First Hand by rsmith-mac · · Score: 1

    It's a shame the Cisco blog is linked second, because it's a great (yet short) read.

    Since the end of last month one of my very low volume email accounts has been on the receiving end of a new spam campaign trying to give me malware. The emails I've received exactly match the emails in Cisco's graph So it's neat to see what's behind it - in this case the Necurs botnet running at full tilt.

    Considering this account was receiving virtually zero spam before, it's definitely a major uptick in spam.

  18. SpamCop.net Dead? by Anonymous Coward · · Score: 0

    I've used and submitted to SpamCop.net for years. But for the past few years it's been pretty useless. Block rates are very low and false positives in what is blocked are pretty high.

    Is SpamCop.net dead, or has Cisco turned it into an input only channel, hiding the useful/useable RBL data behind a paywall? Certainly the public list bl.spamcop.net seems to be useless.

  19. Brian Krebs! by Kludge · · Score: 1

    I was just about to post that we need Brian Krebs back, and I saw that Krebs' website is back!
    For those of you who do not remember, Brian's journalism was responsible for nuking more than half the spam on the internet in 2008.
    http://www.washingtonpost.com/...

  20. Seeing less, not more by Anonymous Coward · · Score: 0

    I have been seeing less spam than ever, not more. Even my GMAIL account is barely getting 3 spam emails a week and I haven't gotten a single spam message on my Office365 account at work. Kudos to the blocklists keeping that crap from even reaching me.

    1. Re:Seeing less, not more by Anonymous Coward · · Score: 0

      I have been seeing less spam than ever, not more. Even my GMAIL account is barely getting 3 spam emails a week and I haven't gotten a single spam message on my Office365 account at work. Kudos to the blocklists keeping that crap from even reaching me.

      Hm, what's your email address? This is a solvable problem.

  21. SpamCop.net is not Dead by Khopesh · · Score: 1

    SpamCop is not dead. It is still up and running and the free blocklist is a great part of your anti-spam arsenal. Compare RCVD_IN_BL_SPAMCOP_NET to the other free options using SpamAssassin rule vetting stats and you'll see it's among the top performers. ("S/O" is a measure of relative precision, "SPAM%" is recall.)

    Unlike the other DNSBLs, SpamCop also reports spam back to the networks that sent it (with filters to deal with spammer-friendly and negligent network operators, either of which might ignore or even pass on the heads-up to spammers rather than disciplining them).

    In particular, SpamCop did well against this Necurs attack but it does not fare as well against hailstorm/snowshoe spam attacks (which IP reputation doesn't help combat). IP-based DNSBLs aren't anywhere near as effective today as they were ten years ago, but they're still quite worthwhile. That said, you're right in that the best ones cost money.

    I feel happy, oh so happy. I don't want to go on the cart.

    --
    Use my userscript to add story images to Slashdot. There's no going back.