Monday, September 3, 2012

Vote Against Spam

What started it All

   It started with a fake pharmacy spammer who pumped in 100+ email messages per day for about three months with them not even knowing they were doing it.  For the past few weeks it shifted to fake ADP/ACH, Better Business Bureau and many other schemes.  At first I was baffled by these until I finally discovered it was neither a spam campaing or phish which I first suspected.  They were dishing out malware using what appeared to be the Blackhole exploit kit in addition to the malware.  If you want to see the pictures of the various types of schemes they are using, they are in this folder (my view of them is much different in Thunderbird than it is in Web Mail (GMail, et al), Macintosh Mail or Outlook mail programs:

Pictures of Spam Schemes

The entire contents are in the folder above the pictures.  What sent all of these messages?  Microsoft Windows PC machines.  I am not talking about the machines using the mail servers the person owning them uses.  These Windows machines are sending email directly and need to be taken out of the loop.  Here are the IPv4 addresses for the infected PCs that were illegitimately sending the fake pharmacy messages which appear to be different from the next set of IP addresses:

Fake Pharmacy Senders (original)
Fake Pharmacy Senders (just IPs)

The newer malware type messages are from these infected Windows PC machines:

Malware / Phish Senders (original)
Malware / Phish Senders (just IPs)

   All I know is that there is a way to make spam almost completely go away.  It requires two changes which will probably never be done.  I have actual malware from this second group that uses hacked legitimate web servers all over the globe.  The 40+ AV programs at VirusTotal were almost completely skunked by the malware which was finally classified as FakeAV by many AV programs after I submitted it to ClamAV for evaluation.  The malware will be available on request only to national police forces and Interpol.  Other spammers can use that to verify that that these spammers are not just spammers.  They are malicious hackers that are infecting thousands more Windows machines via malicious links in email pretending to be something else and using thousands of infected Windows machines to send the email messages in the first place.


Mail Delivery Fix

   The first mail delivery fix would be to require a certificate similar to the one used for https traffic.  A friend said why not just check to see if the IPv4 address matches the host given?  That isn't quite so simple because for each domain you need to find their mail server names (which some don't have), then the IPv4 addresses for each mail server.  Usually you have multiple mail servers with at least two where one serves as a backup.  Each mail server frequently has multiple IPv4 addresses.  So the problem with a reverse IP lookup of the SMTP (Simple Mail Transfer Protocol - what handles the sending of your email from one place to another) gateways for the purported sending host is latency.  When you have a domain which is just specious (either it or its mail server does not exist) it takes a long time to verify it this way.  I am not the first to propose this secure mailer certificate.  Many other people have also proposed it long before I said anything.  Initially I thought Microsoft had proposed this but what they proposed was similar to what Spam Gourmet, Spam Assist, and other services like them provide.  The problem was that Microsoft wanted complete control.  Given their lack of understanding of how to control spam (also called Junk) in Outlook (was Hotmail) they wouldn't be my first pick in leading the charge.  GMail (Google) would be.  But Secure SMTP is not under the user control.  Just rest assured I am not the only one that says that the SMTP system which is now over 30 years old doesn't need a major fix.  Many people much better than me realize it is needed.  I am just adding my lone little voice that says it needs to be done.  But I am also proposing an addition becase Secure SMTP alone will not completely fix the problem.  There would still be spam mailers that continue to send from machines that would be legitimate Secure SMTP servers.  Instead of taking no for an answer they just sell your email address to others.  What defines an email messages as spam (junk)?  The end recipient.  That is next.


DVS (Democratic Vote System)

   What I also propose is something to give the recipient / mail user a way to vote out messages. Look at this folder to see everything saved that went into this idea for having both Secure SMTP and a DVS system:

Pesky Spammer Folder

I used to have most of the files in a private folder but now all of the files concerning this are in this public PeskySpammer folder.  This will help you understant the need for a secure SMTP mail sending service.  It also has some bearing on the situation because what if somebody does have a certificate for their email but there is no way to opt out of messages you do not want that they keep sending to you?  Generally speaking, those links that say remove me from your send to list are really nothing more than "email address verified".  The spammers then sell those new verified email addresses to other spammers.  For these stubborn groups of spammers, only a DVS will eliminate their messages for good.  Secure SMTP won't do the job of getting rid of them.  All Secure SMTP will get rid of are the Windows machines that are sending email direct.  Here is how the DVS should be implemented to work properly:
  • The first part of the DVS is that if you moved a message from your Inbox to your Junk (Spam) folder it would cause your mail client to send a vote against that kind of message to a central clearing house.  This isn't just a vote for yourself.  It is a vote for everybody that has an email account saything that kind of a message is junk.
  • The second part of the DVS is that if you delete a message from the Junk (Spam) folder it would also count as a vote against that type of message for everybody.  But a proper DVS system would instantly and immediately expunge the email message, not just move it into the Deleted folder.  What are the examples of Web-Mail that do this portion correctly?  Yahoo deletes it.  Google not only deletes it but it seems like it implements something similar to the DVS model and makes the deletion of the message a count for every GMail user including yourself.  When enough people do it, it junks those email messages for everybody.  Microsoft's Outlook (was HotMail) does it wrong.  It moves it into the Deleted folder just like it wants to hang on to the spam messages forever.  This has ramifications as to who should be running the DVS system
  • Finally, if you move a message from the Junk (Spam) folder back into the Inbox that counts as a vote that kind of message is not Junk for everybody. It would also be a personal over-ride for yourself assuring you of receiving even more of that stuff I don't want in the future.
   Okay.  who does this almost right?  Google's GMail.  I know people in the PhishTank Developers list, a person in a local mailing list and other computer scientists that have given up on even maintaining their own email and have signed up for GMail and use that as their only email account now.  There are down-sides.  An Argentinian bank wrote to me to get their URL cleared at PhishTank using my GMail account.  Thankfully it was in the Junk folder.  I tried sending three messages. The first was from Gmail to the PhishTank Developer group since I moved my PhishTank membership from securemecca.com to GMail.  It bounced.  The second one was from securemecca.com since I discovered GMail account was not in the Phishtank Developer group.  The last was from my own private email account directly to the technical contact at Phishtank.  Two out of three of the messages were put in Junk at GMail.  That should let you know how bad the spam situation is now.  You cannot even get legitimate email to somebody else even about security matters because the spammers have made it almost impossible to do that any more. Other people keep hopping from one email address to another.  Since I need to save certain things and must have a POP email for my domain I cannot do that.  But making email client programs like Evolution, Thunderbird, Outlook, Outlook Express and other mail clients mesh with a DVS in addition to having Security SMTP could reign this problem in hand.  Until the DVS and secure email gateway are implemented, using services like these (there are others) have the potential to help you considerably.


   I didn't just pick these out of my hat.  These hackers / spammers actually sent to the first one.  It asked for confirmattion.  Not granted.  That helps them keep their email clean.  The second is used by a fellow security researcher.  He allows only selected (white-listed) email addresses and disallows everything else.  Does that tell you what he thinks of the spam situation?
   How can spammers keep off my bad list?  Just remove henryhertzhobbit, hhhobbit, and securemecca from both their to list and from list.  In the case of the from list they are violating numerous national and international laws anyway.  Just like everybody else, I don't go out seeking this garbage.