Remember when image spam was something new and kind of cool? (that was early 2006 in case you forgot). Why did it nearly disappear? For one thing, the anti-spam filters got better at blocking it, so it wasn’t as profitable for the spammers. But it looks like the spammers haven’t given up completely, and this weekend we’ve been treated to a blast from the past:

And another example:

Note that the two examples are almost exactly the same vis a vis content, but the second one is on a slight angle, to try to confuse anti-spam technologies that analyze images based on optical character reading (OCR).

Spam levels overall have been fairly low since we last reported on the drop post-McColo,so this weekend outbreak stood out since it raised spam levels back to what we’ve become used to, at least for a few hours.

This morning when I dropped by the spam analysts’ work area for my daily check of “what’s new in spam” I noticed they were in a bit of a tizzy. Spam levels had dropped from their usual high levels and they were looking for the reason why.

We’ve seen spam levels growing pretty steadily over the past few years. So any sudden drop in spam tends to raise the red flags around here.

While some members of the anti-spam team immediately started checking anything that could have possibly gone wrong in our data centers, another enterprising analyst started searching the Internet to see if perhaps something in the outside world had influenced this change we were seeing. He came across Brian Krebs scoop in the Washington Post  blog, which describes how backbone providers took McColo offline, McColo being the

San Jose, Calif., based Web hosting service whose client list experts say includes some of the most disreputable cyber-criminal gangs in business today.”

Could it be possible that this single event was responsible for the drop we were seeing? I, personally, found it hard to believe. We’ve seen numerous spammers criminally prosecuted, taken offline, etc. etc. etc. but it hardly ever seems to cause even a tiny blip in our spam graphs. Or if there is a blip, it is immediately swallowed up by all the other big-time spammers out there. In this case, the Commtouch spam analysts reported several hours of spam levels that were meaningfully lower than what they were accustomed to.

But after checking, and re-checking multiple times, Commtouch’s spam analysts and operations team reached the only possible conclusion - that there is nothing wrong at the data center, there is, in fact (at least temporarily), less spam.

McColo is the owner of scores of nasty domains, including things like “viruslivescan.com” which installs spyware while purporting to scan your computer for viruses, and lots and lots of pornography sites. A random test of some of their known domains showed that they were offline.

It’s a major win to take down such a vile network of spammers. The main question is, when and where will they pop up again? Because you know this won’t put them out of business for long. We’ll be monitoring the trends and if we see anything worth reporting (or even just kind of neat) we’ll post it to let you know.

By the way, Brian Krebs published an update to his earlier blog post, here.

The flood of Barack Obama-related spam and malware messages unleashed in the past week does not appear to be abating. What started as a simple blended threat outbreak, offering to show recipients his speech (but instead downloading the malware executable barackobama.exe) has morphed into messages purporting to show an Obama sex scandal.

Outbreak that began November 5, the day after Obama was elected:

This week’s latest scandal:

Of course the attachment zeland-01.zip contains nasty malware, so beware…

The messages are being sent from zombies (aka botnets) so if your email filtering solution does not recognize the malware attachment (although by now most of the AV engines do recognize it), any solution that blocks based on zombie senders will be able to prevent this missive from reaching inboxes.

What I love are the “from” names - just odd enough to make you go “hmmm” (apologies to any of our readers if these are your names, but somehow I doubt it)

• Bubba Chi-Wang
• Eugenius Homayoum
• Kristian Stanly
• Avrom Octavian
• Hazel Regina
• Denver Chia Lin

And the list goes on.

Commtouch is pleased to have been selected as #7 in the 2008 Deloitte Israel Technology Fast 50, a ranking of the 50 fastest growing technology companies in Israel. To determine the fastest growing companies, Deloitte reviewed fiscal year revenues over five years (2003-2007), calculated the revenue growth percentage over five years, and compared the growth of technology companies. Being recognized on this list — and as one of the top 10 companies with a growth of 3,319% — is quite an accomplishment for Commtouch.

The Fast 50 celebration took place this morning at the Tel Aviv Hilton, where hundreds of people braved the Sunday morning traffic jams to hear greetings from an impressive roster of speakers. The Mayor of Tel Aviv-Yafo Ron Huldai opened the event, and was followed by the Founder & Managing Editor of TheMarker Online, Eytan Avriel, who talked about how he founded his high-tech oriented web site (now a monthly glossy magazine, a daily insert into the newspaper Haaretz, and more) in May 2000, mere months before the high-tech  bubble burst and still he was able to create a successful growing business by listening to the needs of his customers and meeting those needs.

Another inspiring speaker was the teenager Shaked Matar, from Deloitte’s “Future Managers” program. She presented on behalf of her dozen classmates who participated in a several-month program where they were mentored by Deloitte staff in all aspects of business management, met with key figures in high tech, and even created their own business plan for a new product. Based on her poised, calm, crystal clear and enthusiastic presentation, our future will be in good hands with her and her peers in a few years when they are ready to join the workforce.

The keynote speaker of the morning was Dr. Didier Lamouche, Chairman and CEO of BULL Company. Dr. Lamouche’s presentation jibed very well with the Commtouch approach, since he discussed three key IT trends:

1. “IT Power Plants”, in other words, delivery of IT processing power from an off-site, centralized area, similar to delivering electrical power or water utilities. Commtouch is a leader in this area through our data-center-based spam/ malware detection and web security.
2. The growing security imperative. Security is, of course, Commtouch’s central focus.
3. His third point was “the energy squeeze,” over and above the need for sustainable development. He points out that data centers are reaching a limit, and analyzed that in some cases one square meter of servers in a data center can dissipate as much thermal energy as 20 ovens.

He also displayed a cute handheld device called “Globull” which contains a highly secure personal information system.  He noted that women were most likely to drive this revolution since this tiny device will fit into a purse, unlike any laptop (let’s hear it for the power of the purse!).

And of course the moment everyone was waiting for was the presentation of the Fast 50 companies - no one knew which company was ranked where, so there was palpable anticipation in the room as companies waited to see where they were ranked.  The list is kept so secret that the program booklet containing the ranking and company descriptions was handed out only after the presentations.

Here is a picture of Commtouch CEO Gideon Mantel (right) accepting the award for Commtouch.

Small update on Nov. 3: the two gentlemen giving the award to Gideon are: Amir Aviv, Managing Director, Corporate Finance, Poalim Capital Markets and Shlomi Anfang, Partner, Deloitte Brightman Almagor Zohar.

In case you thought all the e-card malware was sent in English or Russian, of course other nations have their say as well. Here is an example of a recent outbreak of Chinese e-card messages that Arik from the spam analysis team shared with me. This is considered a “blended threat,” that is an email message sent out as spam that contain a link (and in this case an HTML attachment) to malware sites.

If unlucky users click the link in the message, or open the attached html and click the link there, they will download the nasty boss.exe malware.

Luckily there are creative people who will take even one of the most annoying things - SPAM - and turn it into something positive, that is, artwork.

Artist Linzie Hunter has created a series of “one-liners” where she took spam subject lines and experimented with hand-lettering, turning them into works of art. Below is the cover of her new book, a collection of her work:

View thumbnails of her work here: http://www.flickr.com/photos/linzie/sets/72157602417089145/.

And the book Secret Weapon: 30 Hand-Painted Spam Postcards is available on Amazon.

A new blended threat outbreak started yesterday whose subject lines and contents are strangely reminiscent of the first “Storm” outbreak, which created outlandish headlines to socially engineer people to open the malware. In this case, the headlines are more topical to today, including:

• Private investigation report on your colleague
• Iran announces completion of nuclear weapon
• Afghan captial in mourning
• India makes first nuclear bomb
• Sony stocks dips as president dies
• Bill Gates and family held and robbed in family home
• Bomb scare in JFK causes delays

There are also some celebrity and movie-related themes, such as:

• The loves of mini-me
• Nicole Kidman bedroom pics revealed

The malware files have been placed on legitimate (but compromised) web sites, demonstrating the need for web security solutions to analyze the full depth of the web site, and not just block or allow by domain. Since in these cases, the domains are all legitimate web sites.

Clicking on the link forces an automatic download of watch.exe, a malware executable file.

It seems the “randomize” function was tuned a bit too high however, since in most cases the subject line and the contents do not match. For example, in one message where the subject was “Bill Gates and family held and robbed in family home” the content of the message said “Obama and party feared dead in plane crash.” So… which is it?

Several Commtouch folks (including myself) attended MAAWG in Ft. Lauderdale last week, along with many leading service providers, security vendors, and industry luminaries.  Highlights included a botnet presentation by Commtouch’s CTO, Amir Lev, numerous discussions about the complexity of spam, malware and web abuse, and a golf outing with our partner Message Systems (see pics below).  We look forward to seeing you all at MAAWG in San Francisco in February!

A new outbreak of ASCII art spam has graced the ‘net; most recently blogged about on Mashable, it has reappeared of late, now flogging - what else - sexual enhancement meds. For those of you unfamiliar with ASCII art, it is a historic (if you’re counting history in Internet time) way of drawing a picture using characters.

An example of the latest ASCII art spam is below:

It looks like the spammers had a bit of trouble with their algorithm, since the web site and prices are pretty hard to read.

If you look closely at the components of each of the “letters” above, you will see that it is composed of random numbers, designed to fool traditional email content-filtering mechanisms. Commtouch blocks these types of messages through a combination of RPD (Recurrent Pattern Detection) technology, as well as Zombie detection, which enables Commtouch filters to identify botnet senders through an analysis of the sender’s reputation.

Please join with me in celebrating the prestigious award that Commtouch was just honored with: The Frost & Sullivan 2008 European Messaging Security Technology Innovation of the Year Award, in recognition of Commtouch’s “superior protection of email inboxes around the globe from unwanted and malicious email.”

• Award description and document (requires registration)
• Press Release about the award (no registration required)

Frost & Sullivan analyst Arun Nirmal, states: “”Powered by its highly innovative service-based security infrastructure, Commtouch has helped revolutionise and advance the network security industry as a whole. Commtouch’s consistent performance and seamless display of innovations has kept its technology way ahead of the evolving tactics of spammers and malware writers. The company has established new standards in delivering high quality network protection.”