Spam. Junk mail. Whatever you choose to call it, the problem is an ongoing war between spammers and antispammers.
What the spammer has in their arsenal:
1) People whose PCs are compromised, thus getting drafted involuntarily into spammer botnets, which are large groups of PCs controlled by the botmaster. For spammers without botnets, they can typically hire a botnet from a botmaster for their spam run.
2) User ignorance. These are folks, well intentioned or otherwise, who unwittingly get their PCs infected, and having it become part of a botnet. If they're lucky that is. Some machines become child porn hosting sites.Were law enforcement to trace the IP address, the victim's IP address would appear as the culprit. Penalties can include jail time.
3) Unlimited supply of blissfully ignorant users, who see popups etc appear on their PCs, and odd behaviour manifesting itself (eg clicking on google doesn't go to google). As long as they can still use the PC, they'll ignore it as long as possible.
4) Thousands of compromised PCs with free bandwidth. Bandwidth that can be used to spam or to take down the sites of people they don't like with DDoS (distributed denial of service) attacks .
5) People who read ads like "Make $Money$ fast at home!" and think nothing's wrong with spamming as long as they make a buck.
What the antispammer has in their arsenal:
1) Antispam software, the most famous of which is SpamAssassin. Bayesian Statistical Analysis.
2) What was once the fought by little outfits like Spamhaus, we now have folks like Microsoft (!!!) who are now going after spammers across the world. We can forgive Microsoft for Vista/Win8/WinPhone8. Hmm, maybe not Winphone8. Then again, one can argue Microsoft themselves make spamming easy by making Windows so easily compromisable, even a fully patched Windows8.
3) Moral rectitude. Being on the side of everything that is good and holy vs the greedy money grubbing immoral spammers. Sometimes it's just that clear.
What exactly is spam?
One lax definition is any unwanted mail. Another is Unsolicited Commercial Email (UCE). Still, if you're in business, you do expect commercial emails from new and potential clients, even if it were unsolicited. A better take would be as per Spamhaus' definition, that it has to be Unsolicited AND Bulk email.
Unsolicited Email is normal email
-
(examples: first contact enquiries, job enquiries, sales enquiries)
- Bulk Email is normal email
(examples: subscriber newsletters, customer communications, discussion lists)
Most folks don't have resources to nail these miscreants. The nailing can only be done with law enforcement across country borders, since zombie botnets frequently span countries making law enforcement difficult if not nigh impossible. Only folks with the pockets of Microsoft can do these. That's not to say we cannot do anything...we can. The most important of which is to maintain clean computing practices. And I don't mean wiping your LCD screen every day.
Surely there must be some laws? Can't we just nab the filthy scum?
Assuming the spammer is local to Malaysia, we have some laws. In the Malaysian context, spam is categorized under Section 233 of the Communications and Multimedia Act 1988. The penalties are a fine <= Rm50k, imprisonment <= 1yr or both. However seeing how the Malaysian legal system seems more interested in arresting people for posting uncomfortable Facebook comments or prosecuting online websites for posting news unflattering to the govt of the day, rather than doing something actually useful, I don't see this happening anytime soon.
The new Personal Data Protection Act of 2013 also has some interesting legal tools against the would-be spammer. Anyone disclosing personal data to 3rd parties without notification/permission would be liable for a fine of up to RM300k and up to 2 years' jail. So you cannot create an email database, then sell it to someone else for $. At least, that's my impression as a lay person.
Thus far, I'm not aware of a single case prosecuted by the Malaysian Govt under the CMA as relates to spam and I don't expect them to do so anytime soon. Still, the best laws prevent at best 5% of spam, whereas the worst antispam technologies prevent 80%. Let's hear it for technology.
As a user how do I minimize my spam?
Practise safe computing!
1) Don't get your PC/mobile infected!! Once infected, your device is compromised. Any and all information on it has potentially been leaked to the botnet owners. Change passwords immediately! DO NOT KEEP USING THE PC. GET IT REFORMATTED, NOT CLEANED, since most tech folks don't do a proper job cleaning. Frequently cleaning takes longer than a clean install, and your PC will perform faster with a clean install anyway. The keywords to remember here are: CLEAN INSTALL, from known good media (not pirated CDs!).
2) Stop installing free apps that read all your contacts (and email addresses), unless they're from trusted folks. How do we know who is trusted and who isn't? Therein lies the dilemma. It's probably safer to trust an app with 1M downloads, vs an app with 20 downloads.
3) Do not use an administrative account (even with UAC) for normal work. Create a limited user account. This will minimize the damage any malware can cause, since they can only run at same privileges as limited user.
4) Do not use freemail (I'm looking at you, YAHOO and OUTLOOK.COM (what was formerly hotmail). Have your own domain (somecompany.com) with your own hosted email.
5) Do not disclose your email to every Ah Chong, Ahmad and Ramasamy! Keep multiple email addresses. Your primary business card should have one email address for work only. DO NOT USE THIS ON MAILING LISTS!!! OR GIVE IT AWAY FOR A FREE DRAW. OR AT ANY EVENTS/EXHIBITIONS. Keep a 2nd card for this. Your work email is for clients (current/potential) only, those that you cannot afford to block.
6) Use content filtering to block all banner ads. Banner ad providers are frequently targeted by malware authors since these ads have a large audience. If the ads were hijacked, they'd have a large pool of PCs to infect and command.
7) Use content filtering to block all known malware sites
8) Use an antivirus on every consumer device. Whether it's a Mac, PC, smartphone or tablet. Or a PC-based DVR. They're all potentially vectors for infection.
9) Porn sites are the largest infection vector, next to religion websites apparently (!). The former probably because the big brain isn't thinking clearly, and the latter perhaps because the admins have not the expertise to harden the sites (if you're in the latter category and based in MY, contact me for free advice and pentesting).
10) Don't ban the internet! Some folks are under the mistaken assumption that if their staff does not have internet, the PC won't be infected. Please note that USB flash drives are easy avenues of malware transmission, unless you superglue all USB and network ports. The better plan is to limit internet site access (eg blocking chat, forums, social networking), while allowing update sites for antivirus and Windows Updates etc so the security patches are installed in a timely fashion.
11) Use microSD cards with USB adapters instead of normal USB flash, since microSD has a write-protect tab (a long while back regular USB flash had too). If you copy a file to a suspect PC, ensure the write-protect is enabled so your card does not get infected.
12) Update everything! Windows Update (every 2nd Wed of the month), antivirus (check it has daily updates), Adobe Flash and Adobe Acrobat (the two most insecure software ever), Oracle Java. Adobe deserves a special place in hell, for wrapping their Flash Updater with trial software, current McAfee Scan Plus. Steve Jobs had the right idea...Don't use Flash if you can help it. If your bandwidth is limited, either use a proxy cache which will help with all mass downloads, or setup a Microsoft Software Update Server which helps with the Microsoft software. A client/server antivirus also helps if so, since only 1 machine downloads the updates and distributes them.
13) If you still use Win98, Win NT, Win2000 or an unpatched WinXP...well, you're on the side of spammers. Those PCs are wholly insecure and unsuitable for any sort of network environment.
If you use safe computing practices. you'll see perhaps 1-2% spam per day out of your total volume assuming minimal false positives (i.e. mail that is actually ok, but misclassified as spam). If you don't, well, you probably already have loads of toolbars and need to have your PC reformatted yesterday.
Additional comments for wannabe Mail Admins
1) Greylisting - Nice idea. Doesn't work, when so many idiots run mail servers that don't follow RFCs. You end up troubleshooting other folks' mail servers. Not worth the headaches. Tried and discarded.
2) RBL - If you're trusting a 3rd party DNSBL to solely decide what mails YOUR mail server accepts, you're an idiot. These should only be used for scoring the mail, not an all-in-one accept/reject filter. The only exception IMHO is if these were properly managed IP reputation folks such as Postini/Brightmail etc.
3) Vacation mail - evil most of the time, even if properly implemented. For me, it's evil because it confirms the email address with information leakage (eg "I'm away on vacation from the 23-27th of May, please stop by and rob my home since no one will be in").
4) Spamassassin (SA) has some default rulesets, however they need tweaking.On low end servers, sa-compile is excellent for reducing processor load.
5) Clamav with SaneSecurity - highly recommended. This reduces CPU load further since this does preliminary filtering on malware & phishing before the CPU-intensive SA kicks in for the antispam portion. Pure ClamAV doesn't work as well.
No comments:
Post a Comment