In case you’ve been living under a rock for the last few days, the big news is that Michael Jackson died. Yes…THAT Michael Jackson. The King of Pop. The Thriller. The one who introduced the world to the Moonwalk and a solitary glittery glove.

In the wake of his untimely death, cyber criminals have used his name to flood the world with spam and malware. Can’t a man rest in peace without everyone trying to cash in on his death? Shortly following his death, news sources like AsiaOne Digital detailed harvesting spam campaigns that circulated the globe. Spammers hoped to verify email addresses by luring recipients to click on links.

As the hours passed, the campaigns became more sophisticated and have morped into blended threats…spam messages with links to Web sites that contain malware. The Commtouch Labs recently reported a scheme to spread a nasty virus that can disable firewalls and steal personal identifying information including financial data. The email looked like this:

The link in the email led to this page (seen below), where one is prompted to download an executable file. This executable file won’t actually provide secrets about the entertainer’s death…so don’t download it. It’s the data-stealing virus. No one wants one of those.

The world lost an amazing entertainer last week. We extend our deepest condolences to the Jackson family.

From late May through June, Commtouch Labs noted a sharp rise in the number of new viruses being circulated via email that were not caught by the major anti-virus engines. A new Malware Report released by the company details several outbreaks whose wide distribution caused malware numbers to temporarily and exponentially increase from the rather consistently low numbers we have seen during the past 18 months.

One explanation for the dramatic rise is the appearance of aggressive new variants of several different Trojans. With each new variant, there is a period of time during which anti-virus companies recognize it and then develop new signatures to protect their customers. The companies have tried blocking new variants with a dedicated signature per variant. This method proved inefficient, so security vendors have begun to develop generic signatures to block all variants of the same malware family. As demonstrated by this massive growth, the generic signatures have not proven to work against the recent variants.

Download the full Malware Report here.

It seems the summer holiday has cleared the way for spammers to spend more time focusing on what they do best…clogging our inboxes and trying to trick users and filters alike. Analysts in the Commtouch Lab recently found an interesting example that demonstrates the lengths to which spammers will go to trick us, and I must say…these guys really invested time and energy into hijacking a legitimate site and creatively redirecting users to their own sites.

What is a redirect? Quite simply, users may receive an email with a random link inside. If you were to mouse over the link, you may see a non-threatening URL that seems like it could be legitimate. If you click on it though, you find yourself on a page that is completely unrelated and when you check the URL, you see that it is totally different from what you thought you had clicked on. This usually means that a spammer has hijacked the legitimate site and added in some code to redirect you to the site they really want you to visit. Why would they hijack a legitimate site for this? In order to bypass spam filters.

In this case, we examined an email with a link that pointed to an educational Web site. Upon clicking, however, we found ourselves on a Web site built by…you guessed it…some guys with a Canadian pharmacy.

We dug a little deeper and found a most unique redirection method…typically there is a simple code pointing the browser to the new site. Advanced URL filtering, like Commtouch’s own GlobalView URL Filtering, would recognize this redirect and flag it as suspicious. But these guys had a lot of time on their hands and made their redirect incredibly difficult to find and figure out.

But we found it…and we figured it out.

It started with this code, hidden between pages hosted on a legitimate educator’s site:

After decoding the %XX characters we found this:

It took some effort to decode the last line (starting with dF). But once we did, we found it’s a complex function that creates the redirection code and executes it.

The final decoded HTML looks like this:

All of that scripting and code produced a beautifully sneaky redirect to this site, which is infected with a nasty Trojan:

Typically, these Canadian Pharmacy sites just send spam and sell Viagra…but this one included a virus to keep us all on our toes. I’m sort of impressed…this was quite a complicated scheme devised to sneak through spam filters, get into inboxes around the world and spread a nasty virus. Does anyone else see the irony in that?

Peter Wang is really worried about the Commtouch domain. He sent us the very official-looking email seen below (complete with spelling and grammar mistakes) warning us that some guy “named ‘raymond marcus’ wanted to applied for the Internet brand ‘commtouch’ and some domain names through” their body.

I’m not even really sure what that means. Raymond made an inquiry into taking over the Commtouch brand? It’s awfully nice of Mr. Wang to let us know.

We here at Commtouch took this warning very very seriously. Amir Lev, our CTO and president, immediately responded to grant Mr. Marcus permission to register domains. After all, any illegal descendant of Ferdinand Marcos who wants to take over the interwebs should be given free reign.

No?

So…can we get a cut of his inheritance?

In the end, Peter just wants us to get nervous about “Raymond Marcus” (who most likely doesn’t really exist) and his plan to buy up our domain name. Peter is hoping that we are not smart enough to realize the trick — he wants us to call him up and give him money to buy our own domain before the fictitious Raymond does.

Thanks for lookin’ out for us, Peter! We’re going to pass this time…

Gmail users have been treated to a fairly strong track record of spamless inboxes thanks to Gmail’s filtering methods. Every now and then, maybe they’d miss one…or maybe they’d falsely mark a legitimate email as spam…but for the most part, Gmail users have been spared large amounts of spam cluttering their inboxes.

Over the last four to six weeks, and especially in the last week or so, a bug over in the Gmail spam filters has changed this. Some Gmail users have noticed a sharp increase in the amount of spam that snuck through the filters and ended up in their inboxes. Lisa Hoover, over at Computerworld, shares her personal experience with the issue and the Search Engine Round Table offers a concise summary of the Gmail forums covering the topic.

Spam like this sample - promoting weight loss supplements - have snuck through Gmail’s spam filters:

And another example, offering free HD or DVR:

As of today, Google has not offered an explanation for this glitch but in this Gmail forum, an employee named Sarah assured us that Google is investigating it and looking for a fix. That was at the end of April. According to users, the problem has only gotten worse since then. Hopefully Google will sort it out soon so Gmail users can enjoy low spam levels again.

Gmail subscribers should remember that Gmail is a free service - in beta stage. From time to time, there may be glitches that the Google team will have to address. But considering the price, there isn’t really much room to complain. No? Paid services are typically held to a higher standard than free services.

…as they say, “You get what you pay for.” And for a service that is totally free, I’d say Google is doing a pretty good job of keeping its Gmail subscribers happy.

What else can be said about those pesky Nigerian scam emails (commonly known as the “419 fraud”) and notifications of winning large amounts of money that hasn’t already been said?

It isn’t new that scammers use current events, news and upcoming attractions to make their campaigns seem authentic and convincing. While doing some research on 419 messages, I came across one in particular that caught my attention and could have potentially fooled me…if I didn’t know better.

To give you some background…I am Argentinean…and the two things an Argentinian loves the most are Asado (grilled meat) and football (or “soccer,” for the guys in the US).

So this particular email that caught my attention informed me that I won tickets to the FIFA World Cup 2010 in South Africa plus £250,000. To be honest, I had subscribed to the World Cup ticket lottery, so if the email was a request to pay a discounted price for the tickets, I am sure I would have done it!

But…I know that scammers are greedy. The winning amount stated in this email is too good to be true…and who uses an awful red background in an official email?!

…I know it is Coca Cola FIFA 2010, but still!

What is a Milter?
Sendmail and Postfix are the most popular open-source mail transfer agent (MTA); Sendmail has both free and commercial editions.

Due to the emergence of threats and unwanted content such as viruses and spam, a need arose to filter those messages closer to the perimeter, before they reach the end-user mailbox; however, since both Sendmail and Postfix were designed as MTAs, they lack the ability to perform content analysis of the messages passing through, thus enabling only basic RBL (Real-time Blackhole List) IP lookup.

In order to solve this problem, content-scanning software such as Amavis and Mail-Scanner were developed.  The integration of that software requires strong skills in Linux and Postfix configuration; also, the flow of the message in these tools isn’t optimized and wastes resources:

1. The message is accepted by the MTA
2. The message is forwarded to the content scanner (Amavis, etc)
3. The content scanner executes external software (such as ClamAV, SpamAssassin, etc.) in order to scan the message
4. The clean message is forwarded to a 2nd copy of the MTA
5. The 2nd MTA delivers the clean message

In version 8.12, Sendmail introduces an API, called the “Sendmail Content Management API” (a.k.a. Sendmail Milter); This API enabled the ability to inter-connect third-party content analysis software and have them analyze the mail messages at their arrival time (in real time). It actually enabled the examination and modification of the message content and meta-information during the SMTP transaction. The API enabled interconnection with more than one software.

Following Sendmail’s success, in their 2.4 version, Postfix has enabled full compatibility support to Sendmail’s milter.

Bottom line: it’s finally possible to add anti-virus and anti-spam milters to filter out messages easily and efficiently.

The Commtouch Milter
Commtouch has introduced a Milter that enables the use of Commtouch Anti-Spam, Zero-hour Virus Outbreak Protection and GlobalView Mail Reputation with Sendmail or Postfix MTAs.

The goal in offering the Milter is not only to provide superior technology for our partners but also to ease the integration process, and to allow partners to benefit from Commtouch’s added value without having to invest too many additional resources.

This is why Commtouch has initiated its integration tools strategy that allows partners to leverage existing security infrastructures to improve competitive offerings. As part of this initiative Commtouch has already released its Commtouch Plug-in for SpamAssassin, and now we are proud to release the Commtouch Milter Plug-in. Like other Commtouch offerings, it is primarily targeted at security vendors and service providers (including hosting providers, ISPs, etc.) that are servicing over 5000 mailboxes. Of course, it can also handle carrier grade offerings of tens of millions of mailboxes.

Why Milter? Why Now?
It is true; even before we offered the Milter, it was possible to integrate our SpamAssassin plug-in and have it scanning your messages without changing your current topology too much, whether you use spamd-milter, Amavis, Mail-Scanner or any other content-scanner/milter that integrates SpamAssassin.

But is it good enough? That’s a rhetorical question! SpamAssassin uses a lot of resources, and in order to enjoy the best performance, you are much better off taking SpamAssassin out of the equation.

The Commtouch Milter provides the best way to integrate a content analysis mechanism with your Sendmail or Postfix MTA, enjoying best performance, minimum latency and proper usage of Commtouch’s technologies and services.

If you want to learn more about Commtouch Integration Tools in general or about Commtouch Milter solution in particular, please visit http://www.commtouch.com/commtouch-milter-messaging-security, or even better – download our free evaluation software of the Commtouch Milter.

You know how it is when you need a vacation. You’re tired and cranky. You daydream. You can’t focus. You confuse things. I think that is what happened with a recent batch of spam reported on by the Commtouch Labs.

A few samples looked something like this:

The image is missing and the text is an HTML mess. I opened the mail with a text editor to figure out what went wrong…and as seen below in the body of the message, it appears that there was a mistake replacing the %VARIABLE, where VARIABLE should have been replaced by a corresponding value in the spammer’s spreadsheet (e.g. a URL or a name). Looks like their mail merge failed.

I guess even spammers need a break every now and then…it must be hard work trying to clog inboxes with unsolicited mail!

As the Swine Flu makes its way around the world and creates panic among travelers, spammers have tried to cash in on the frenzy. The Commtouch Labs recently reported on two different kinds of spam attacks that have incorporated the phrase “Swine Flu” as a means of social engineering — Swine Flu is such a hot topic right now that recipients may be more likely to open a message related to it.

In the first outbreak example (pictured below), the emails included “Swine Flu” in the subject line to grab a recipient’s attention. The body of the emails are unrelated to the Swine Flu, but read much like sexual enhancement spam of the past, aiming for men who may need a little extra boost to express their love.

The links in both examples led to Canadian Pharmacy sites featuring sexual enhancement drugs (surprise, surprise), not a Swine Flu vaccine.

The second batch was used to harvest emails for spammers. They employed an automatic subject/body generator and came up with some really sloppy combinations. As seen in the examples below, “Swine Flu” was not included in the subject, rather, in the body of the emails. In the first example, the spammer combined the economic crisis (subject line) with the Swine Flu epidemic (body). The second email combined poor Andy with Paris Hilton AND Swine Flu…all in one. Quite creative.

While a harvesting attack is not sent to lure recipients to buy products from various Web sites or download malware, the emails are sent in huge numbers to check the validity of large groups of email addresses. Once valid email addresses have been harvested, spammers use the lists as targets for new attacks.

Seems as though the Swine Flu is spreading around the world virtually now as well…

We are happy to announce the availability of a new Online Security Center, featuring timely data and statistics regarding malware outbreaks, and other messaging and Web threats.

A new feature we developed, is a Web Security Lab that identifies the top categories of Web sites infected with malware or manipulated by phishing.

The comprehensive Security Center includes tools for monitoring malware outbreaks, spam and zombie/botnet trends and a real-time outbreak monitor displaying outbreaks and their geographic origin dynamically. These tools are, in many cases, displayed by our OEM partners on their corporate web sites.

Check out the Commtouch Online Security Center can be found at http://www.commtouch.com/security-center.