Sawadika (that’s hello in Thai)…

What could be better than fresh pineapple juice? The answer is fresh pineapple juice in the morning on one of the beautiful Andaman ocean beaches in Phuket, Thailand. Well, I had to make do with the fresh pineapple juice and a walk down to the OPSEC pavilion, but still not that bad when you come to think of it…

Checkpoint was having its Asian CPX (“Check Point Experience”) this year on one of Thai islands – Phuket. Indeed it was challenging to get oneself to go to the CPX rather than to the beach, but it was worth it.
Just to keep you all in the picture, Commtouch technology is behind 3 of the 6 dimensions of Messaging Security, which is the new (well, new as of a few months ago….) module within the Check Point UTM-1 line of products.

One of the nicest surprises for me was Gil Shwed’s (Check Point’s CEO) opening session, where he mentioned Messaging Security more than once, as one of the great benefits Checkpoint has now to offer. I was positively beaming with pride during this keynote.

CPX was a great opportunity to meet many of Checkpoint’s resellers and distributors of the region, some of whom have already started selling UTM-1 with Messaging Security, and some who are just starting to become aware of the new product line. There was a lot of interest in what and how Commtouch does (unbelievable, but we catch spam without any content filtering engine!), not only in the already published services, but also in the upcoming new service of Web Security. I also enjoyed meeting up with some of Checkpoint’s country managers.

All in all, there is no doubt that Check Point knows how to organize a great event, making sure everyone leaves with new technical knowledge as well as a big smile (good food and drink always help). And just to prove how security-oriented the whole atmosphere was at the Hilton Phuket, on last Monday they held Tsunami evacuation exercises for their teams while we were starting the conference.  So we were treated to calls of “Tsunami Tsunami” over the loudspeakers (luckily we had been informed in advance that it was a drill).

Here are some pictures to share the good mood of the event:

Juggling the Commtouch stress balls with colleagues from Crossbeam and Secure Passage.

These are the stress balls, by the way, which were a big hit with the attendees (but how could you be stressed in Phuket?):

Congratulations to the winner of our lottery, Mr. Paul Dumindin of Globe Telecom, the Philippines (that’s me on the left):

And just to make you all jealous, a single picture of the gorgeous beach:

Luckily for both the organizers and the participants, the weather during the event was only so-so, but the few days before and afterward were fantastic, so we got a perfect combination of work and pleasure.

Looking forward to next year’s event.

I know some people get excited about the prospect of a new video of Angelina Jolie (with or without her new twins), but it’s not recommended to download one that ends in “.exe” since it’s most likely malware

Building on the trend from the past few months of using standard MSN messages (links and all) to embed spam communication, now malware distributors are doing the same thing, only using the messages to distribute malware.

Below is a sample message, which looks almost exactly the same as previous “MSN-type” outbreaks.

However the image in this case is not for pharmaceutical spam, but a topless Angelina Jolie (or lookalike) which I’ll spare you. The message contains a hyperlink to download the malware file video-nude-anjelina.avi.exe. (Although if the .exe suffix wasn’t enough of a clue, perhaps the misspelling of the actress’s first name would tip you off…)

Commtouch recently announced our Q2 email threat trend report, which indicated, among other things:

• Spam levels throughout the second quarter averaged 77%, ranging from a low of 64% to a peak of 94% of all email towards the end of the quarter
• 10 million zombie IP addresses were active each day, on average
• Pharmaceutical spam was the most popular topic in Q2, comprising 46% of all spam

Are these bullets different than previous quarters? Well, yes, just like the weather changes from day to day, and season to season. Last quarter may have been a bit colder and more rainy than this quarter; similarly we had more “enhancer” spam in the previous quarter than this quarter. But for some reason this quarter’s trend report generated much more provocative headlines than earlier reports, for example “Botnets Winning Spam Wars” by John E. Dunn in Techworld (and syndicated to dozens of other publications). I’m trying to figure out why our fairly staid report — one that has appeared in similar format for a couple of years already — got such… dare I say… sensational coverage?

In this post I’d like to respond to a few of the comments that came up in articles and other blogs about the report. First of all, Commtouch does not think that the botnets are winning the spam wars. What the report does state, however, is that botnets are wily and dynamic, and can outsmart traditional filtering methods, like content filters or black lists. There are several solutions out there - Commtouch’s included - that are fighting botnets and winning, in our case, simply by blocking their activity, or providing datafeeds of botnet IP addresses to partners that incorporate that information into their anti-botnet undertakings.

Joel Hruska of Ars Technica, a blog which I really enjoy and respect, also goes for the zinger headline, “Botnets Continue to Defy Containment Attempts.” He says a few things I’d like to respond to:

Commtouch steps through the various types of attacks it saw in the second quarter, but virtually all of them would be familiar to anyone who regularly follows security topics.

Yup, I agree, and like I said, it’s like the weather. One day a “blizzard” of Chinese earthquake spam, another day a new type of blended threat. And who doesn’t like to read the weather report from time to time? On the other hand, we do provide certain statistics that are not necessarily familiar from simple observation of your spam quarantine (or inbox, depending on how successful your email filter is), unless one is tracking the Commtouch stats on an ongoing basis.

Next quote:

Commtouch has two postulates: that anti-malware companies are running up a mountain that’s collapsing beneath them when it comes to keeping up with malware variations, and that it’s easy for a malware company to switch from botnet to botnet as a means of delivering their product. These could form the basis of a discussion of whether or not current anti-malware “best practices” will ever be able to address the crisis at hand.

Well, I agree and thanks for writing it much better and more succinctly than we could have written it ourselves And we’d be happy to discuss this in more depth, which we have in other more malware-specific reports. Of course we believe that we have a solution for blocking multiple malware variations, but that leads us to his next statement:

Instead, Commtouch chooses to leverage its report as an advertisement for its own product line. Despite the company’s promising verbiage, it seems less and less likely that any single company will ever stumble on the magic combination of filters and heuristics to force malware authors to radically change their methods.

Ouch. It’s funny, I review every report we publish and always think to myself - should we be pushing more Commtouch product-specific messages in there? and I usually hold myself back because the reports are well-read and (I’d like to think) respected in the industry precisely because they donot read like a product pitch. If we’re starting to get too commercial in these reports, then I guess that’s a warning sign that we need to tone it down a bit and go back to our more research-oriented report roots. On the other hand, Commtouch does not pretend to be anything but what we are - a company that profits by selling email filtering software and services. So if a product pitch somehow slipped into one of our reports, I can understand how it could conceivably happen.

As for the second part of that statement, I tend to agree that there is probably no one single magic combination to block all the bad stuff out there, however as our licensing partners have found, (watch out, here comes the product pitch) combining Commtouch technology as part of defense in depth does work, and our 100 licensing partners and their tens of thousands of end-customers will attest to it.

Something about the “rockets red glare” of July 4th must have gotten the Storm Wormers in the mood for aggressive action, and the next outbreak has been a faux invasion of Iran, with the following malware web site:

Based on a quick scan of the iran_occupation.exe malware file by VirusTotal, the results show that only 14 out of the 33 engines tested identify and protect against the malware.

Is there any holiday spammers and malware writers won’t celebrate? This just in from our detection center - blended threat emails along a July 4 Independence Day theme, with Subjects like “Happy July 4″ and content… well see for yourself in the example below:

Don’t click on links in emails like this, folks… guaranteed to turn your computer into 4th of July fireworks (or the spammer equivalent).

Happy Independence Day to our readers in the USA. Enjoy your loooooong weekend!

Commtouch Enterprise Anti-Spam Gateway is a nice and very effective product [hey, I am objective:)] that helps enterprises to block spam and virus outbreaks. It’s been out there for a long time and it has a solid base of loyal and happy customers all over the world. I know, because I’ve been supporting this product since its first release and it has always been a pleasure to hear warm words about its performance.

Last Friday, June the 26th, I received an email from my colleague Yael with notification that a cross site scripting vulnerability has been found in the Gateway, and that it puts our Enterprise Gateway customers at risk. I read the security report. And then I read it again. The alarming reality sunk in and I almost ran to our R&D team, screaming for solution. “Almost”, because of the mere fact that there are several thousands of kilometres and an ocean separating us.

Despite the fact, that it was a weekend, it didn’t take long for R&D to come up with an elegant solution to the problem. Just two days after the vulnerability publication we had a fix and QA was running at full steam…

Yesterday the security patch was released and published, and a notification was sent to all Commtouch Enterprise Anti-Spam Gateway users, so today I would like to say a big Thank You to my Commtouch colleagues for the hard work on the weekend and the quick solution.

More and more Gateways are being patched as you read this blog, and our customers are protected not only from spam and viruses, but also from the aforesaid vulnerability.

By the way, the security patch is available on our website here. Just enter your Commtouch Gateway license key to login to customer section and download the ctSecurityPatch1.00.0001.zip file.

Recently there has been a lot of discussion and reports about an increasing amount of NDR messages triggered by spam. Since the NDR problem become a major factor in the spam world, and I noticed that there are some confusion about it, I thought it’s important that I’ll give a short overview of the problem and how Commtouch approaches it. Commtouch has developed a mechanism to cope with this nuisance problem, but before I go and explain about the solution I think it’s essential to understand the problem and its complexity.

NDR Definition

First, let’s define what NDR means. An NDR is a bounce message notifying that a message did not reach the intended recipient. Since there is no industry standard for these bounce messages, there are several names for this type of scenario. Here are a few that I know of:

• NDR - Non-delivery report
• Bounce Message
• DSN - (failed) Delivery Status Notification
• NDN - Non-Delivery Notification
• Backscatter
  

For the purpose of this post I will use the term “Legitimate-NDR”, for NDR messages that were sent to the original sender of the message (e.g. if they had a typo in an email address), and “Spam-NDR”, for NDR that was triggered by a spam message, where usually people get them since spammers sent spam “on their behalf” and the unsuspecting user receives the NDR.

To be honest, one can claim that any NDR is legitimate, since a legitimate MTA is issuing a notification to the sender that the message did not reach its intended recipient, or that the quota has exceeded or any other status notification. From a user perspective, considering the amount of NDR messages that an organization receives and the fact that it did not send any of these original messages – it is spam, and if not, it’s definitely not legitimate.

Types of NDRs

Unfortunately, there is no industry standard for how NDR messages should look nor how they should be treated. When an MTA issues an NDR, it usually sends it in one of the following forms:

• Full NDR - NDRs with original message info as attachment
• Partial NDR - NDRs with original headers and/or some parts of the original message in the body
• Empty NDR - NDRs with no recognizable data from the original message

Although there is no definitive evidence, from what we see in our detection centers, most MTAs return Partial NDRs. Although Empty NDRs is not the most common method, they really complicates the problem since it is very difficult to distinguish between “Legitimate NDR” from “Spam NDR”.

It is important to understand that Full NDR poses real security threats rather than just annoying spam messages, since it may contain malware attachments intended to infect the machine with malicious code. 

NDR Background

Spam NDR has been around for years but has only recently gained recognition as a major spam issue, most of it can be associated to the massive trend of using zombie armies to propagate spam, and the never-ending endeavors of spammers to come up with new techniques to evade anti-spam solutions.

MTAs have two ways to inform each other about a message bounce situation: synchronous and asynchronous. Synchronous bouncing occurs when the receiving MTA denies the acceptance of a message during the SMTP session, and the message is not even received by the MTA. In this case, the sending MTA issues an internal message, usually by the “System Administrator” notifying the sending account that the message did not received.

The problem is that this method made it easy for spammers to engage in Directory Harvest Attacks (DHAs). DHAs are a common way for spammers to gather existing corporate email accounts. The idea is that the spammer connects to the corporate MTA and starts sending thousands of email addresses with the corporate domain (like john@, david@ marketing@, etc.) and just keeps track of which emails bounced back. Of course this type of attack could take some time, but from the spammer perspective, it’s an effective way to build an accurate database.

In order to deflect this problem, some MTAs have adopted the asynchronous approach. In this method, instead of telling the sending MTA right away that the recipient does not exists, it says in the session level that all recipients are valid. At some point, the MTA does its own checking and according to its own policy issues an NDR message to the recipient that appears in the FROM address. The idea behind this method was that spammers are just wasting their time with directory harvest attacks, since the MTA accepts all recipients. Another reason for having NDRs is that some delivery status, like quota size, cannot be checked on-session and must be triggered a delivery report.

Of course the asynchronous approach helped prevent the DHAs, but it created a new NDR problem. Along the way, anti DHA techniques were introduced, such as tarpit or Teergrube, which identified a DHA attack and delayed or blocked connection from sources associated with the attack. These methods are considered much more effective against DHAs rather than asynchronous bouncing, but unfortunately, there are still MTAs that implement the asynchronous method- which is the infrastructure for the Spam NDR.

Recent NDR Spikes

Recently, the NDR problem raised its head, and more and more incidents about the problem were reported. But what’s interesting is that we spotted a pattern, in which an individual user and sometimes a domain had a dramatic increase in the amount of spam NDRs and after a short while it got to the usual low-levels or even disappeared completely.

Analyzing the new patterns in the Spam NDR messages showed that only a few accounts (in some cases even single accounts) were the target of the Spam NDR. So although it would be expected that every account in a domain will get the same amount of NDRs (this would have explain a theory that maybe spammers are using NDR to pass their spam through security solutions), only a few accounts got those messages.

We believe that this type of behavior relates to the increase of use of reputation techniques to block spam. Some reputation systems (depending on the vendor) use reputation scores in their decision process of determining if a given source is bad or good. One common technique is based on a simple fact that usually a legitimate MTA does not send email messages for more than a few domains. On the other hand, a compromised MTA or a zombie computer will send from a single IP address hundreds if not thousands of domain in a short timeframe. This is a behavior that some reputation systems track and analyze. Since its becoming a common technique, a spammer who wishes to deceive such a mechanism would use a small amount or even a single domain as the sender in order to avoid its IP from being considered bad.

Commtouch NDR Solution

Commtouch’s solution comes from a deep understanding of the problem and a proven expertise in the messaging technology space. As a result of the complexity of the NDR problem, Commtouch offers different approaches to tackle the problem in order maximize the best solution for each need.

Commtouch has applied a built-in logic to its RPD detection engine in order to distinguish NDR notifications from other types of inbound email messages. These NDR notifications are classified as “good” email by the detection engine and are redirected to the Inbox folders of targeted recipients. The functionality is enabled by default.

To prevent recipients from receiving Spam NDRs, Commtouch has developed an NDR solution implemented in our recent released SDK (Ver 5.06). This solution can be enabled remotely by Commtouch on a per license key basis. The solution can be used to match different customer needs.

There are several ways to implement the NDR solution, depending on organizations’ needs:

• Full blocking of all NDR messages - users that are not concerned about the potential loss of Legitimate NDR notifications can simply block all NDR messages, both legitimate and Spam. Although it may be considered a harsh policy, it is a fast and easy way to handle the NDR problem - No additional cost or effort is required.
• Blocking of spam NDRs only - to distinguish between the good and bad NDRs, a small configuration change to the mail server is necessary; the mail server needs to stamp outbound email messages according to our specifications (this tactic is also known as BATV). This stamped value is used as an identifying token for the detection engine when some of these messages are rejected and bounced-back as NDR notifications. The combination of auto-detecting a message as an NDR notification and the existence of the stamped token will result in classifying the message as Legitimate NDR and allow forwarding it to the Inbox folder. Any other type of NDR notification will be classified as Spam NDR and blocked.

Since implementing the latter mechanism in the MTA may require resources and time, for organizations that suffer from NDR attacks and are searching immediate relief, a two-phase approach needs to be considered. In this case, at first the NDR enhancement will be enabled without stamping at the MTA, in which case all NDRs will be blocked, both legitimate and spam NDRs. When possible the mechanism will be implemented to allow Legitimate NDRs to be received.

Licensing partners who are interested in more information about these solutions should contact their technical account manager.

Spam in Chinese is problematic for traditional content-filtering anti-spam engines for several reasons:

• Chinese characters are “double-byte”, as opposed to “single-byte” like non-Asian languages. The second byte is due to the fact that one byte isn’t enough to transmit all the necessary information since the alphabet is so much larger than western languages like, for example, English. Most content-filters were designed to work on single-byte languages, and choke when it comes to double-byte.
• There are no spaces between words in Chinese. A word may be made up of several Chinese characters, however the characters around it may also have a meaning in conjunction with those other characters. A spam filter may “read into” certain phrases that were not intended. A reader of Chinese will figure out the meaning based on the context; content-based spam filters with dictionaries of good & bad words are not that smart.
• Chinese can be written vertically, as opposed to other languages which are written horizontally. Content-filters are typically designed to scan words from left to right, and then down. Vertical writing will simply appear as gibberish to a content-filter that is scanning it left to right. (I won’t even get into the right/left; left/right issue, since Hebrew and Arabic are written right to left…another thing altogether.)

A while back, Commtouch’s CTO Amir Lev wrote a paper for Virus Bulletin that delves into the issue of international spam, and how different languages and even cultures affect spam filtering around the globe. That was nearly two years ago, and at that time, he wrote that:

It is worth mentioning that Japanese and Chinese can also have a vertical orientation; however this layout is typically not used for computers, since it is not practical.

At that time, in 2006, we had not seen spam written vertically. Now I may be getting paranoid, but are spammers reading our old, esoteric journal articles, for ideas? Because… this week Commtouch has identified an outbreak of vertical Chinese spam!

Check out this example - the entire message is written vertically, and that number running down the right-hand edge is the business’ phone number. BTW that’s another example of how spam varies around the world - most western spammers wouldn’t dream of including a phone number (then they’ll start getting those boiler room telemarketers calling them all the time, oh yeah, and perhaps the FBI…)

By the way, what are they selling? I don’t know Chinese, so I checked with one of our BizDev Asia representatives, and this is the response I got: “oh you know, the usual stuff, nothing new here, receipts, customs, import, export…” What, no Viagra?

p.s.

<requisite plug>Incidentally, Commtouch typically has great results filtering spam in Asian languages, since the patented RPD technology is language- and content-independent. Where some anti-spam technologies have rooms full of language-experts sifting through piles and piles of spam, or generating dictionaries of “spammy” words for every language in the world, RPD is based on identifying recurring patterns in bulk-sent email, regardless of the language of the message. This ability to excel at filtering in multiple languages has served Commtouch well, netting the company many partners throughout Asia. </requisite plug>

Commtouch detection team informed me that a new blended threat outbreak of Chinese Earthquake messages began earlier today, with a similar modus operandi to the previous outbreak, the main difference being that the URL hyperlinks within the messages are to zombie IP addresses (the X’s in the sample below), rather than fast flux domains in the previous outbreak.

A sample message is above. And here is a screenshot of one of the malware web pages - users should not click the “video” since it downloads malware to the user’s computer.

Sample subjects in the new outbreak include:

• toll mounts in china earthquake
• 2008 olympic games are under the threat
• million dead in chinese quake
• china’s most deadly earthquake
• the most powerful quake hits china
• a new massive quake struck china
• chinese government keeps back the real number of earthquake victims
• recent china earthquake kills million
• unprecedented earthquake in china
• strongest earthquake hits beijing
• a new powerful disaster in china
• china is paralyzed by new earthquake
• the massive disaster leveled the center of beijing to the ground
• 2008 olympic games will possible not take place
• the capital of china were collapsed by earthquake
• dozens killed in china earthquake
• terrible earthquake devastated beijing
• a new deadly catastrophe in china
• destruction in china continue
• deadly catastrophe in chinese capital
• the death toll in china steadily increased
• earth tremors in china is going on
• recent earthquake in china took a heavy toll
• countless victims of earthquake in china
• chinese people are horrified by new earthquake
• death toll in china is growing
• the list of chinese victims is growing
• death toll in china exceeds 1000000
• deadly earthquake shook china again
• massive death toll feared in chinese earthquake

Nasty nasty stuff. They’re even leveraging the Olympic games as a trigger to get people to “watch” the video. With the games coming up this summer, expect to see more Olympic-related spam and malware outbreaks.

For some people, hearing about China digging itself out of one of the worst earthquakes in recent memory inspires them to do good works, donate money, join the Peace Corps…. For spammers it is merely inspiration for the next wave of social engineering to attempt to recruit a new army of zombies. Building on human being’s natural sense of curiosity, and the fact that in the last few weeks there actually was a massive earthquake in China, a new blended threat has been unleashed in large quantities starting yesterday, with email message subjects such as:

• recent china earthquake kills million
• recent earthquake in china took a heavy toll
• the capital of china were collapsed by earthquake
• the death toll in china steadily increased
• “unprecedented earthquake in china”
• dozens killed in china earthquake
• a new massive quake struck china
• _death_to ll_in_china_is_growing
• earth tremors in china is going on
• death toll in china is growing
• destruction in china continue

A sample message:

The email message contains a hyperlink (several domains) to a site that tries to download malware to the users computer.

Even though according to spamwars the malware has only been caught and identified by 8 out of 33 tested AV engines, folks using Commtouch Anti-Spam can rest assured they are protected.