News Blog and Archives:

December 2010

The highest number of spam-spewing computers is in the U.S. -- Is yours one of them?

August 2010

A pleasant discovery, thanks to spammers

Spammers spoofing antispammers' email addresses

June 2010

Google Groups: "This site could harm your computer."

April 2010

Your friend is freaked out at the moment

December 2009

Malware writers vying to violate virgin computers

Fake security scan scamming Skype users

Google scammers take aim at Barack Obama

November 2009

Favicons and fake-icons

Spamit Must Fall

Spamming universities

June 2009

May 2009

April 2009

March 2009

February 2009

January 2009

December 2008


Resource Links

January 2009

Shootin' phish in a barrel

Spam humor

Your computer has doors to the outside. Have you left any unlocked?

More on Conficker

Conficker/Downadup/Kido worm

Waledac trojan spoofs Obama campaign site

KSForum is now

Israel/Palestinian conflict news story used as lure for malware download

AV Comparatives Summary Report for 2008

More reviews of 2008

This site is best viewed in Firefox or Seamonkey browsers. We do not recommend the use of Internet Explorer browser due to the risk of getting infected with malicious software without any warning while surfing the web.

January 28, 2009
Shootin' phish in a barrel

Just received a spam to lure me to a phishing site. (OK, so I knew it was phish and went anyway, so I wasn't exactly "lured." But bear with me.)

Here's the spam:

Dear Wells Fargo Bank customer, You have received this alerting message, as you are listed to be an Commercial Electronic Office® user.We would like to inform you that we are currently carrying out scheduled maintenance of banking software, that operates customer database for Commercial Electronic Office® users. Customer database is based on a client-server protocol, so, in order to finish the update procedure, we need customer direct participation. Every Commercial Electronic Office® user has to complete a Commercial Customer Form. In order to access the form, please use the link below. The link is unique for each account holder and expires within a certain period of time. If you don't fill in Commercial Customer Form before your unique link expires, the system will automatically send you a new notification message.[whole bunch of number identifying the person who received the email] Sincerely,

Wells Fargo Online Customer Service

Please do not reply to this email.

It's a pretty lame attempt at speaking English. But the link says ", yadda, yadda." It's the last part before the first single slashmark "/" -- "" -- that tells you what the real site is, right? Wrong.

This is a time in which you want to see what that spam looks like in its raw view. It was sent in both text and html ("hypertext markup language," the computer code used for webpages), and the actual link is hidden in the html code. People with text-only email don't get fooled, but there aren't many of those people, and the phisher will just let them get away. With the html view, the link in the visible text is not going to be automatically turned into an active link by the email program. This is what the html code looks like:

<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; charset=3Dwindows=
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<p><font face=3D"Arial, Helvetica, sans-serif">Dear Wells Fargo Bank cust=
<p><font face=3D"Arial, Helvetica, sans-serif">You have received this ale=
rting message, as you are listed to be an Commercial Electronic Office<su=
p>&reg;</sup> user.</font></p>
<p><font face=3D"Arial, Helvetica, sans-serif">We would like to inform yo=
u that we are currently carrying out scheduled maintenance of banking sof=
tware, that operates customer database for Commercial Electronic Office<s=
up>=AE</sup> users. Customer database is based on a client-server protoco=
l, so, in order to finish the update procedure, we need customer direct p=
articipation. Every Commercial Electronic Office<sup>=AE</sup> user has t=
o complete a Commercial Customer Form. In order to access the form, pleas=
e use the link below. The link is unique for each account holder and expi=
res within a certain period of time. If you don't fill in Commercial Cust=
omer Form before your unique link expires, the system will automatically =
send you a new notification message.</font></p>
<p><font size=3D"2" face=3D"Arial, Helvetica, sans-serif"><a href=3D"http=
niquelink-id=[whole bunch of number identifying the person who received the email]">
/form/do.jsp?uniquelink-id=[whole bunch of number identifying the person who received the email]</a></font></p>
<p> </p>
<p><font face=3D"Arial, Helvetica, sans-serif">Sincerely,<br>
Wells Fargo Online Customer Service<br>
Please do not reply to this email.</font></p>

Well there is a lot of gobbledygook there if you aren't used to html code. But there is one html tag you really need to be able to recognize: "<a href>" There may be other links in a spam, especially to images. And those will usually be to the real website in a phish email -- it makes it easier to carry out the deception. But the <a href> tells you the website the spammer is trying to take you to. In this case, it's

<a href=3D"http=
niquelink-id=[whole bunch of number identifying the person who received the email]">

(In this case, you can view the site without using the identifying information:

Now look at the last part before the first single slashmark "/": It's "" That's the domain under the control of the phisher, and the one you would report to its registrar for shutdown.

".be" is for domains registered in Belgium. You can find a whois server that can tell you about .be domains here:


January 25, 2009
Spam humor

The "Sloppy, Lazy and Stupid Spammer" forum at is always good for a laugh. Even if you're not an experienced spamfighter who can laugh at the incompetent use of Dark Mailer software, you can always get the humor in the Fractured English or Mismatched Subject Headings threads.

Just one example posted there from user Moike:

Stupid phishing email - I've seen lots of variations on this, but it's still funny.

The security upgrade will be effective immediately and requires our customers to update their ATM card information.

1. Login to your Wachovia account.

2.Please update and verify your information on file with us.
We apologize for any inconvenience this may cause, and appreciate your support in helping us maintaining the integrity of the entire Capital One Bank system. Please login as soon as possible.

Capital One Bank Security Advisor.

Nice to know that you can save your Capital One account by logging into your Wachovia account!


January 23, 2009
Your computer has doors to the outside. Have you left any unlocked?

If you visit any anti-spam forums, you will quickly learn that a large percentage of the websites being advertised in spam aren't being hosted in the normal way. Instead of paying rent to have their websites hosted by commercial hosting services -- which costs money, lots of money if you want "bulletproof" hosting from a service that won't boot you off for spamming -- they hijack computers of innocent people using trojan horse viruses. Once infected by a trojan, a computer gives the attacker access to store his website files, and it allows people looking for that website to view those files. Similarly, most of the computers mailing the spam are also under the control of criminals.

That means an infected computer has to be "listening" for people trying to access it. It has to have a door left open. Those doors are called "ports." Port 80 is the one left open by computers that are supposed to be webservers, and a piece of malware can open any port of the programmer's choosing.

The ShieldsUp! website will do a free scan to see if your computer is listening on any common ports. There's more explanation about why you should care about open ports here. Should you find open ports, you need to find out why they're open and look for malware that may be on your computer allowing it to be part of a botnet.

Choosing strong passwords

The other issue is, even if you locked the door, did you leave the key under the mat? Burglars know where to look for hidden keys, and so do attackers. Obviously, how much trouble someone will take to get onto your computer depends on how valuable the information is. Do you do your taxes on your computer, meaning your social security number and other personal information is there? Do you buy online with credit cards? -- even if you tell your browser not to store them, malware could be logging all the keys you type. Do you have pictures of your kids that can be photoshopped with pornographic photos to conceal the identity of the child who was actually abused? If so, at least somebody could use your information, and a very weak password on your router/firewall isn't much better than none at all. Plus, who wants their computer to be the one used to upload the next al Qaeda decapitation video?

First, if you didn't know your router had a password, you may not have changed the default it was shipped with. So if every router of that type has the same password, you can guarantee there are people checking everyone logged into the internet to see who hasn't changed their default. Go to the manufacturer's website and find out how to change it.

There are a number of passwords that are used very frequently, and attackers try them first. So if you thought you were really clever by choosing "password1" as your password, you weren't. There are a number of sites with lists of common passwords. PC Magazine posted a top 10 list in April 2007 and Wired Magazine posted an analysis of the top 20 MySpace passwords in December 2006.

So if you look at those lists, you know to avoid password, password1, 123456, qwerty, abc123, letmein, common swear words, and your own first name. Anybody can try those without any special effort.

But hackers have software that allows them to try over and over if your router will allow it. So the next question is, "If they want to get in, how long would it take them to try?"

The quickest way in is a dictionary attack. If your password is a lower case dictionary word, with or without a single number at the end, a computer can try all the possibilities in a few minutes.

Besides avoiding words in the dictionary, avoid dates (even ones they don't know, like your nephew's birthday).

The best passwords are long -- once you get longer than 8 characters, the amount of possible combinations goes up very quickly. And a long password can discourage someone from trying further if the dictionary attack fails. The best passwords also don't just stick to lower case letters (26 possibilities), lower and upper case (52 possibilities) or even all letters and digits (62 possibilities). Throw in the special characters !@#$%^&*()_-+={}|[]\:";'<>?,./~ if you're allowed to use them, and you now have 93 possibilites. (Do find out if you're allowed to use them, so you don't choose a password that won't be accepted.)

To do the math:

4 characters, all lower case = 26 to the 4th power = 456,976 possibilities, which would be a lot for you, but not for a computer, especially one that knows to check common characters first.

6 characters, all digits (like a date) = 1,000,000 possibilities,. But a smart computer program will first try 0 and 1 in the first place and 0,1,2, and 3 in the third place, since dates only have those possibilities. In fact, there are only 365x100 dates in a century, plus up to 25 more for leap years in the last 100 years, or 36,525 total choices.

8 characters, taken from upper/lower/digits/special is 93 to the 8th power =5,595,818,096,650,400 choices. 10 characters is 48,398,230,717,929,000,000. Now you start talking about it taking even a fairly powerful computer years to crack the password, especially if the letters and other characters aren't in predictable combinations.

If you're choosing a password for work, you have an additional consideration -- you need to be able to type it quickly without looking at the keys, so people don't read over your shoulder. Rely on long passwords which are not single words, and use common punctuation as your special characters in those cases, as with practice you'll be able to enter them without an observer being able to follow what you're doing.

There are a number of youtube videos showing how quickly someone can hack a password using free software. The bad guys know about it; you should too. Here's one:


January 19, 2009
More on Conficker

Gary Warner's blog expands more on the behavior of Conflicker. Important take-away message: Even if you have installed the patch to keep the worm from spreading from other machines in your network for from infected thumb drives, if the worm has your administrator password, it can still install itself from another PC in your network. How would it get your admin password? Lots of networks use the same administrator password for all machines on the network. If an admin logs into an infected computer, he has provided the password for all the others. Get the patch on ALL the machines on your network, ASAP.


January 18, 2009
Conficker/Downadup/Kido worm

Well, this is a pretty exciting worm, considering it hasn't done anything. Yet. It's spreading like kudzu, though. Should it rouse into action, we may find out what it does in a rather unpleasant manner.

It takes advantage of a Microsoft Windows vulnerability that was patched months ago. Microsoft didn't say much about it at the time; they just quietly fixed it with one of their regular updates. So while it didn't advertise the vulnerability to the bad guys, it didn't scare a lot of people into updating, either. (And maybe some people have decided to wait a while to install patches, after a recent Windows update made it impossible to access the internet if you had ZoneAlarm installed -- hard to fix that one, you know?)

Anyway, it spreads machine to machine via internal networks and also removable media, like flash drives. Since it's just installing itself and not doing anything to call attention to itself yet, it's been gaining access to a huge number of computers without spurring their owners into looking for problems.. And should they learn they are infected, it will try to prevent them from getting fixes by blocking access to a large number of sites that provide help. In fact, you can't get access to any sites that have the following character strings in their URLs:


At least it provides an easy way to figure out if you're infected. Try to go to

using Internet Explorer. If it won't let you, you've got a problem. Remember that Conficker could have spread to your computer from other computers in your home/office network, so you need not have done anything stupid yourself.

If you're still okay, make sure you have all the updates from that Microsoft updates site. Make sure your firewall has not been deactivated, and set it to require new authorization from any connections from other computers in your network. If you don't have a firewall, Comodo still provides their excellent firewall for free. You have to download their (free) antivirus as well, but if you prefer your own, you can uncheck that option.

If you're already infected and need help, majorgeeks and bleeping computer are not on the blacklist.


January 17, 2009
Waledac trojan spoofs Obama campaign site

The Waledac trojan shares a lot of similarities with the Storm worm, though it's a different piece of software. (See the earlier post below for more about a similar malware spam campaign.) Waledac appeared recently with fake e-card sites. Now it's spamming for sites claiming that Barack Obama is refusing to assume office. Just like the old storm sites, it preys on people's curiosity about disasters to get them to click a link that will download the payload onto their computers. And the wording was clearly written by someone who doesn't speak English fluently.

Just don't click it, okay? The real campaign website is


January 15, 2009
KSForum is now

The KS Forums (Kill Spammers), previously hosted at, was attacked in the first wave of the DDoS attack in August-September 2007 that also hit Castlecops, Spamnation,, and Artists Against 419. While Castlecops fought to stay on line in the face of the massive attack, KS moved underground with just their most active members and continued to fight internet criminals in secrecy. Although there were advantages to working where the criminals could not see what was going on, other internet users interested in joining the fight against spammers could not find them, either.

The new location, was unveiled today. It's a good place to learn about spam and internet crime, especially for people who are new to spamfighting and who might find other forums intimidating. Even if you know nothing about computers or email, senior forum members will help you start learning what you need to know to be an effective spamfighter.

KS always has had a close relationship with, and many of those anti-spam volunteers have already moved to InboxRevenge since CC's demise last month.


January 9, 2009
Israeli/Palestinian conflict news story used as lure for malware download

Spam started arriving today claiming to link to CNN news stories about the Israeli/Palestinian conflict in Gaza. The subject is "Subject: Israeli War: The Zero Hour in French israel war hidabroot," though I'm betting the stuff in your inbox has one of an assortment of different subjects and texts:

Israel offers short respite from strikes.
Israel will halt its bombardment of Gaza for three hours every day to allow residents of the Hamas-ruled Palestinian territory to obtain much-needed supplies, a military spokesman says.
The images broadcast here were graphic and striking.
The Al Jazeera English report below captures the extent of the devastation caused by the initial strikes.

Proceed to view details:

2009 Cable News Network. A Time Warner Company. All Rights Reserved.

Notice that the URL contains "edition.cnn.2009," but that isn't the last part of the URL before the "/" Only the last part counts:

The real location is "," and that's the domain you would report to get this site shut down. It has no relationship to "" at all. Close only counts in horseshoes and hand grenades.

Like the ones that preyed on people concerned about the Chinese earthquake last year, they appear to have a video that won't work unless you download an update to Adobe Flash. In reality, the "video" is just a still image called sw22.jpg:

Without the link to the malware file, you can click on that jpg all you want, and nothing's going to happen. Either way, you aren't going to see any "graphic" images.

Even if you're clever enough not to click, the page will attempt to reload itself. But instead of the same page, it will attempt to load the payload Adobe_Player10.exe instead, with a tag in the source code that looks like this:

<meta http-equiv="REFRESH" content="10;url=../Adobe_Player10.exe">

The best protections here are to notuse Internet Explorer, and to set your browser to always ask where to put a file when it downloads. When it asks where to put this one, just cancel the download. (When I downloaded it, I told it to change its name to "Adobe_Player10.exe.txt," which means my computer can't run it as a program, only open it as a text file. It's much safer for handling it.)

The malware itself is fairly poorly detected. My submission was the first one received at, so this would be considered a "zero-day" malware -- the antivirus companies have to be able to recognize it by its general characteristics, never having received a sample of this particular one before. You'll see those marked as "heuristic" or "DNA scan" or "suspicious." And since trojan horse viruses like this don't do anything much besides allow more malicious programs onto your computer -- and the downloads are usually encrypted -- they aren't easy to recognize that way:
File Adobe_Player10.exe.txt received on 01.09.2009 17:33:28 (CET)
Result: 9/38 (23.69%)
Antivirus .. Version .. Last Update .. Result
a-squared 2009.01.09 -
AhnLab-V3 2009.1.10.0 2009.01.09 -
AntiVir 2009.01.09 HEUR/Crypted
Authentium 2009.01.08 W32/Heuristic-210!Eldorado
Avast 4.8.1281.0 2009.01.08 -
AVG 2009.01.09 -
BitDefender 7.2 2009.01.09 -
CAT-QuickHeal 10 2009.01.09 (Suspicious) - DNAScan
ClamAV 0.94.1 2009.01.09 -
Comodo 895 2009.01.08 -
DrWeb 2009.01.09 -
eSafe 2009.01.08 -
eTrust-Vet 31.6.6300 2009.01.09 -
F-Prot 2009.01.08 W32/Heuristic-210!Eldorado
F-Secure 8.0.14470.0 2009.01.09 Suspicious:W32/Malware!Gemini
Fortinet 2009.01.09 -
GData 19 2009.01.09 -
Ikarus T3. 2009.01.09 -
K7AntiVirus 7.10.584 2009.01.09 -
Kaspersky 2009.01.09 -
McAfee 5489 2009.01.08 -
McAfee+Artemis 5489 2009.01.08 -
Microsoft 1.4205 2009.01.09 TrojanDownloader:Win32/Small.gen!C
NOD32 3755 2009.01.09 -
Norman 5.99.02 2009.01.09 -
Panda 2009.01.09 -
PCTools 2009.01.09 -
Prevx1 V2 2009.01.09 -
Rising 2009.01.09 -
SecureWeb-Gateway 6.7.6 2009.01.09 Heuristic.Crypted
Sophos 4.37.0 2009.01.09 Sus/UnkPacker
Sunbelt 3.2.1831.2 2009.01.09 -
Symantec 10 2009.01.09 -
TheHacker 2009.01.09 -
TrendMicro 8.700.0.1004 2009.01.09 PAK_Generic.001
VBA32 2009.01.08 -
ViRobot 2009.1.9.1552 2009.01.09 -
VirusBuster 2009.01.09 -
Additional information
File size: 7742 bytes
MD5...: d2326165be23464144a26abea694b841
SHA1..: ff3a6f283004a16cef00db62a04473199c92cf74
SHA256: 0dd6bb6563fbb4fc57a26136fe44049e3e7d5f5a7cd68d1387016dba6ed0fc82
SHA512: 155a37ee85af7437a01882d4e62e36e154259b2a6e1abbc18be6f6b986a231f4 04f52406a9c59c2016740d80d30d651aaff39b489278ada0df6a73df50557f73
ssdeep: 96:nPVw00/r52DfD5UfvXUqtddStibeKWaeTqpo5HTRVa7gi8uOg:ntwdgD75+1b eKRy5HT6ZUg

Moral of the story is, even a very good, fully updated antivirus program can miss something like this. Don't assume it's safe just because your AV program didn't raise a stink. Don't click on it. Period.

Update: Gary Warner's blog has more detail on this one, including information about the malware the trojan downloads and where it gets it.


January 2, 2009
AV Comparatives Summary Report for 2008

AV Comparatives does independent testing of antivirus products. In order to even get tested, the products have to prove they're at least adequate in the first place, so there are only 16 products being tested.

Winners for 2008 were
* Best Overall: Avira AntiVir (about $28/year at current exchange rate for antvirus+antispyware, free for antivirus alone), with ESET NOD32 Antivirus (about $60/year) a close second
* Best On-Demand Detection: Avira AntiVir, with just about everything a close second
* Best Proactive On-Demand Detection (detecting new malware no one has seen before): ESET NOD32; Avira was close, but lost points for false positives.
* Lowest False Alarm Rate: McAfee (about $30/year) with Microsoft's discontinued Onecare product in second place (Microsoft plans to replace Onecare with a free product)
* Fastest On-Demand Scanning: Symantec's Norton Antivirus (about $40 a year) with Avira in second place
* Fastest Speed for Copying/On-Access Scanning (scanning files while you're in the middle of opening them): Kaspersky Antivirus (about $60/year), with ESET NOD32 second.
* Best Overall Performance (how much it slowed down computers when running): ESET NOD32, but also with several others performing nearly as well.

The full report is here. In addition, Shadowserver does continuous comparisons on a daily/weekly/monthly/yearly basis, which often gives a better idea of how a single product can be completely fooled by a particular sample of malware that floods everyone's email inboxes, while performing extremely well with everything else. Watching how your AV program performs over time gives you information that a testing agency can't easily duplicate in a lab. Today's performance by Kaspersky is quite poor, for instance, although it is usually considered one of the gold standards that other programs are compared with.

AntiVir's good showing is consistent with its results in the Castlecops Unknown File Forum, where newly discovered malware was posted with results of scans done at VirusTotal and Jotti. False positives are always undesirable, but if you know to be cautious, it's probably better to get an alert and have to check it out than to get no warning at all. If your AV program detects something already on your system and you aren't aware of any problems, before deleting it, send the suspicious file to your AV program's manufacturer (each program should provide a way to do that) . They should get back to you within about 24 hours with a more thorough analysis to confirm or correct the previous results. That kind of input also helps keep your AV program one of the top performers.

Notice that you can get a very good program for a reasonable price. But also be aware that you still need to let your brain be your first line of defense -- no AV program detects all the malware the first day it shows up, and some products (especially some free programs that weren't tested) do quite poorly. Don't get a subscription for more than a year, because this year's stars might ride on their reputations, and this year's dogs might overhaul their procedures to improve their products. It's not worth changing for small differences in these types of competitions, but if you see your current product wasn't even tested because it couldn't meet minimum standards, yes, it's time to shop around.


January 1, 2009
More reviews of 2008

Gary Warner has posted his top ten list of most significant spam and malware developments of 2008.





Reference, tools, and organizations:


How to get help if your identity was used to register a spamvertised website

About us

The InboxRevenge fallback sites

Due to frequent retaliation attacks by spammers, keeps a list of alternate websites where members can remain in contact and continue their spam fighting efforts throughout the duration of attacks: