Brian Krebs

Spam Levels and Anti-Spam SaaS

By Adrian Lane

I was reading the Network World coverage last night of the McAfee Spam Report stating spam rates were down 20%. While McAfee's numbers are probably accurate, my initial reaction was "Bull$#(&", because I personally am not seeing a drop in spam. If the McAfee report, as well as Brian Krebs' posts, show the totals are down, why am I getting a lot more spam, increasing weekly to the point where I am becoming actively annoyed again? I was wondering how much was due to the launch of the new Securosis web site, which was the 'cat and mouse' cyclical changing of spam techniques, and how much was an anti-spam provider not keeping up.

I spent a couple of hours last night combing through Postini alerts, my internal junk folder, and the deleted spam that had made it to my inbox. What I found was a linear progression from the time we started with Postini until now, with increasing rates getting caught by my internal spam filter, and a corresponding linear increase getting into the Inbox. Not sure why I allowed this to capture my efforts on Cinco de Mayo, especially considering I have developed a really good margarita recipe that deserved some focused appreciation, but hey, I have no life, and the article grabbed my interest enough to go exploring.

Anyway, I think that Postini is just falling behind the curve. We switched over September of 2008. My email address was broadcast when I joined Rich last July and I was surprised that there was not more spam. When we added the Postini service, no spam was getting through for a while, and every evening I would get my Postini status digest of the one or two spam messages it had intercepted. I still get these, and the digest always shows 1-2 emails captured. However, I am getting several dozen in my internal spam folder and another 15-20 in my inbox. And it is the old school blatant "Bank of Nigeria" and "Lottery Winner " stuff that is sneaking in. Even the halfway well-executed Citibank/Chase/BofA Security alert phishing attempts are getting caught my my personal filters, so how in the world is this stuff getting through Postini? This is not the 97-99% percent blockage that I talked about in the past, and customers have reported to me. I just did a survey 9 months ago and it may already be out of date.

It's time to make a change. The beauty of spam filtering as SaaS is that we can change without pain. I am on the lookout for a 10 seat SaaS anti-spam plan. Got recommendations? I would love to hear them. Share your advice and I will share my margarita recipe.

–Adrian Lane

Going On The Offense

By Rich

Brian Krebs posted a follow up article on the takedown of fraudulent hosting provider McColo (facilitated by his initial reporting last week). If you think all the nasties out there are hosted in Russia or China, you should really read his article.

McColo's servers weren't sending out the actual spam; they functioned as the command and control infrastructure for some of the world's biggest botnets. For those of you who don't know, spam is rarely sent from static servers anymore; it originates from botnets scattered around the world that are directed by their control network to issue once in a lifetime offers for the best possible deals on male enhancement products. (It's nice to know everyone has small weewees and lasts about 8 seconds, since otherwise this stuff wouldn't be so profitable). Since the spam originates from tens of thousands of different systems, it makes it nearly impossible to blacklist based just on IP address.

McColo hosted major components of the command infrastructure for spewing out your totally legitimate university diplomas (for a small fee). All those little bots are still out there, but no one is telling them what to do. As Krebs reports, it's only a matter of time before the network owners reassert control and we can get back to purchasing discount medications and finding true love in former Soviet countries.

But what if we took control ourselves and locked out the network? Those servers are still sitting in some building in California, and the ISPs still control the IP addresses. Imagine what we could do if we sent in a research team (or law enforcement) to commandeer all those bots and lock the bad guys out.

Yes folks, this is just fantasy today. We don't have the legal framework to execute such a project without creating risk for the good guys involved. Sure, we could use the botnet to patch all the compromised systems, but that's effectively breaking into someone's computer and making changes.

I dream of a day when we can more effectively take the fight to the bad guys without worrying about going to jail ourselves. There's absolutely no chance we can continue this fight indefinitely if we're always on the defense. But we're a long way off from having the legal framework and institutions to effectively stand up for ourselves.

–Rich

Brian Krebs: Ultimate Spam Filter

By Rich

First he exposes the Russian Business Network and forces them to go underground, now he nearly single-handedly stops 2/3rds of spam.

Most tech journalists, myself included merely comment on the latest product drivel or market trends. Brian is one of the only investigative journalists actually looking at the roots of cybercrime and fraud. On Tuesday, he contacted the major ISPs hosting McColo- a notorious hosting service whose clients include a long roster of cybercriminals. At least one of those ISPs pulled the plug, and until McColo's clients are able to relocate we should enjoy some relative quiet.

Congrats Brian, awesome work. This also shows the only way we can solve some of these problems- through proactive investigation and offense. We can't possibly win if all we do is run around and try and block things on our side.

–Rich