It’s another Monday and seems to be another day of inbox Spam. However, I’ve noticed recently how more and more spam groups are being created on Yahoo! and joining me. They basically say the same thing:

I’ve added you to my akljsdfklj group. a free Yahoo! Group to send and receive group messages.

Description: asdflkhasdf

To gain access, click the link…

This is another reason that Yahoo! just doesn’t care about their product. I use Google Groups all the time and don’t get any spam messages like this. Yet, every week I am removing stupid posts like in the image.

Where is the confirmation? I really have to click on a link and tell them this group is spam? Why not have some protocols in place to avoid me getting annoyed like this?

Here are some ideas that anyone running a group website could implement:

1. Multiple fields on form

Make them fill out more information than your name and small description. Make them enter in some contact information. Require a description field to be 20 words or more (not just characters). Have an algorithm determine if the description is jibberish or actually says something.

2. CAPTCHA

It’s annoying, but in a way, it’s meant to be annoying. That way, you know someone is human. Yahoo! does have some CAPTCHA algorithms that they could use in this group. It also kills the bots attempts to register groups.

3. Confirmation

Email confirmation means they have to register an email address first. That might also stop some bots from creating groups.

These are not revolutionary ideas. They have been used before and can be used again. The more we can stop spammers and bots, the less phishing scams and malware can be created. When that happens, people and companies save millions of dollars.

So Yahoo! – If you’re just going to let it continue, then why not shut down YahooGroups and get out of the business. It’s what you’re doing anyway…

GData has found that many people’s preconceptions about malware are wrong and are putting them at risk of malware infection. The vectors for viruses and trojans have significantly changed in the past couple of years and infections now mainly come from websites rather than emails and USB sticks. The growth of malware in the past five years has been phenomenal and since 2005, over 2 million malware threats have been identified.

GData surveyed nearly 16,000 web users in 11 countries regarding their views on internet threats. People are generally more knowledgeable now, with only 4% admitting to having no antivirus software on their computer, although 5% didn’t know. 48% of those questioned have free AV software and 41% have paid software. The survey is not entirely clear if it was Windows PCs only or any computer, including OS X and Linux.

GData identified 11 malware myths that can lead to a higher risk of infection. Here they are.

Myth 1: When my PC is infected, I will notice in one way or another (93%)
No, modern malware writers are smart and code their viruses and trojans to make sure that they work stealthily and unnoticed in the background.

Myth 2: Free AV software offers the same elements of security as paid for packages (83%)
Anyone who has bothered to compare the feature sets of free v. paid versions of security software from nearly any company will know that this isn’t true. Usually the free ones are missing features such as firewalls or anti-spam filters.

Myth 3: Most malware is spread through e-mail (54%)
As mail spam and antivirus filters have got better, malware in attachments has become rarer as it has become less effective. Consequently most spam / malware emails now only come with links to infected websites rather than payloads.

Myth 4: You can’t get infected just by loading an infected website (48%)
Sadly not true. Websites loaded with malware that take advantage of vulnerabilities in the browser and operating system can infect a PC even when the user is “just looking”.

Myth 5: Most malware is spread through downloads at peer2peer and torrent sites (48%)
Undoubtedly some malware is passed on via peer-to-peer but today websites are the prime source of infection.

Myth 6: It is more likely to encounter malware at a porn site that at a horseback riding site (37%)
Much as we might like this myth to be true, serious adult sites are professional and run to a high standard. The web site is key to their business and they make sure the sites are secured and up-to-date with patches. On the other hand, hobby websites are run by enthusiasts who are rarely IT experts and these websites are easily compromised by criminals who then upload malicious code to the site which subsequently infects visitors.

Myth 7: My firewall can protect my PC from drive-by-download attacks (26%)
Sadly, not true. Firewalls are a useful security component but because much malware is web-based and web traffic is generally allowed (because you couldn’t access websites if you didn’t), firewalls provide only limited protection against them.

Myth 8: I don’t visit risky sites, so I am safe from drive-by-downloads (13%)
This is much the same as Myth 6, but the point to take is that your trust in the website brand does not have a direct correlation to the likelihood of being infected. In the recent past, a couple of high-profile trusted sites have become vectors for malware without the owner’s knowledge.

Myth 9: If you don’t open an infected file, you can’t get infected (22%)
The emphasis in this myth is on the “you”. In a perfect world this might be true, but modern PCs and operating systems are so complex and do so much in the background that it’s possible for a malicious file to infect a PC regardless of what the user actually does.

Myth 10: Most malware is spread through USB sticks (13%)
In the past a large proportion of viruses and trojans would have been passed on using USB memory sticks and while they can still be a vector (Conficker!), now more malware is spread by websites.

Myth 11: Cyber criminals aren’t interested in the PC’s of consumers (8%)
As most people recognised, consumer PCs are definitely of interest to consumers, either to form part of a botnet or else to monitor for passwords for on-line services.

“There is a natural assumption amongst Internet users that pornography sites are more dangerous than other leisure sites. This is a myth. Amateur hobby/leisure sites are often not professionally run like many pornography sites, making them much easier prey for hackers,” says Eddy Willems, G Data Security Evangelist. “In the past, malware was written by developers who wanted to show off their technical skills, meaning it was visible to infected users. Now cyber criminals design, sell and make use of malware that enables them to take control of PCs’ computing powers in such a way that users do not notice the infection. This covert approach not only puts users’ data at risk, but also allows cyber criminals to send spam e-mails and malware, and participate in DDoS attacks. Internet users must correct their misconceptions in order to stay safe online.”

You can download the full report (.pdf) if you want more information on the survey itself and the myths.

So stay sharp out there. The bad guys are out to get you.

I’m still getting mail from dead people.  An AOL account belonging to a friend of mine who passed away almost three years ago has been hijacked and sends me at least one spammy email a day.  I tried to block her emails using my spam blocker, but some still get through.  She had three or four AOL email addresses, and all of them send me spam email.

Now I’m getting spam email from a mechanic I used a few years ago.  The same type of spam email, and I’ve tried to call him, but he appears to be out of business.

But good old AOL, they aren’t out of business, and they never delete email addresses in their system, so I’m destined to get multiple emails a day from these defunct accounts.  And seriously, mail from the dead is just creepy!  AOL doesn’t seem to be responsive to requests to shut down these accounts (I’ve tried that) and they don’t even want to talk to you unless you have an AOL ID to sign on with.  There is no way I want to sign up for an AOL account just so I can complain about another AOL account.

Short of turning on blocking, spam filtering, etc., what is the solution?  How many of millions of AOL (or Yahoo, or Hotmail) email addresses are really defunct, but still sending out spam email because they’ve been hacked?  And why does it seem so hard for these emails to get turned off or deleted?  I sure wish I knew the answer.

Digital security firm Sophos today released their Security Threat Report for 2011, which reviews all the ways that the bad guys are out to get you. It’s a glossy 52 page report and is worth a quick read to understand the threats that are out there, especially in areas that you might not be familiar with.

The report covers the key threats from 2010:

• Fake anti-virus software and scareware – through a warning dialog, users are scared into paying for and installing fake anti-virus software, which at best does nothing and at worst steals passwords and credit card information.
• SEO poisoning – manipulating search engine results to point users to fake and rogue websites, which are loaded with browser exploits and malware.
• Clickjacking or UI redressing – hiding malicious buttons underneath innocuous images, e.g. clicking on a “Like” or “Share” image actually emails out malware to all the users friends.
• Survey scam – in order to complete a questionnaire that typically offers a non-existent but  sought-after prize, software has to be installed or access given to personal data. This information is then used to propagate the questionnaire onwards, earning affiliate revenue for the application developer.
• Spam – not exactly a new entrant in 2010 but the rise of spam on social networking sites is an increasing problem.
• Spearphishing – a variant on the original phishing but in this case the attack is well targetted and much more convincing and consequently more likely to succeed.
• Stuxnet worm – a traditional vector but with a new target, the Stuxnet worm went after SCADA systems and industrial PLC controllers. Very sophisticated, leading to conspiracy theories involving industrial sabotage.
• Malvertising – the infection of advertising on legitimate websites that links to malware or fake anti-virus software.
• Compromised sites and accounts – Legitimate websites and typically celebrate accounts are hacked to serve infected webpages or link to malware sites.

The report briefly covers the threats posed to iOS, Android, Windows 7 and Blackberry smartphones before moving onto to review issues with Facebook, Adobe products, removeable media and USB drives. Windows 7 and OS X are also discussed.

The report continues with some of the success stories when the justice system has managed to catch up with the criminals before closing with advice and guidance on how to avoid getting hit.

Give it a read. Warning – 4MB .pdf download.

The USA is the worst country in the world for relaying spam, according to Sophos’ latest report on spam.  The US was responsible for 13.1%, followed by Brazil and India at 7.3% and 6.8% respectively, with the UK, Russia and Italy tied in 7th place.  In a further twist, China has completely disappeared from the top 12 and now relays only about 1.9%.

The full hall of shame is below.

Given the amount of attention that China receives as the “Country of Cybercrime”, the table shows that US and Europe ought to be looking a bit closer to home when it comes to spam.

Sophos estimates that 97% of email received to business servers is actually spam and only 3% is legitimate email.  Frankly that’s a both scary and a disgrace.  The level of resources needed to cope and the subsequent cost incurred by business shows that spam ought to be much higher up on the agenda of our lawmakers.

Perhaps they could take a break from the usual “digital rights” arguments and do something that would help everyone. That would get my vote.

So the numbers are getting better. According to the Messaging Anti-Abuse Working Group (MAAWG), 80% of Internet users are aware of the botnets and spam in email. They know that there is no national lottery or company that spells their product V1@gra. Still, 20 percent of users are still taking SPAM seriously. That is seriously a bad number and it shows, because the report says we continue to select the spam.

Think about it – There are 305 million in the United States alone. That means sixty-one million people will respond to SPAM. Sixty-one million will be at risk of loosing thousands of dollars and possibly their credit line. Sixty-one million might get malware on their machine, which might enter your machine. Now apply that 20% to the 6.6 Billion from around the world. That means you can market a SPAM campain to 1.2 billion viewers and expect about 120 million to respond (using the 1:100 ratio).

We, as responsible IT reporters, talk about awareness to SPAM. But now I think it’s time for us to start pleading that you need to change your stance from an advocate, to a teacher. Turn your efforts into educating your parents, grandparents, friends, cousins and other people what SPAM, botnets and Malware really is and how to avoid it.

If we became a world with a 95% awareness to SPAM, we might just fight the ongoing problem. I just recorded a segment on my Podcast (Day in Tech History) for March 30th. I talked about how SPAM had creeped back up to where it was just before the MoColo server was taken down. That was noted on March 30th, 2009; 4 months after the server was raided.

Now, granted, 5% of non-aware people is still a big number. About 15 million in the US and 300 million worldwide. However, that number is more palatable than 61 million and 1.2 billion. I would like to believe in 5-10 years we could reach that number naturally. The only problem is that spammers are like everyone else – They learn from their drawbacks.

Sometimes I am impressed with some of the messages received. My curiosity sets in, so I want to take that message a little further. However, I do that in a controlled environment. Never on the production machine, where my email addresses could be mined. Never to a link that looks like it’s this:

ww.whatever.com?user=your@email.address&SSN=333333333&otherdata=whatever_we_can_think_of

(in those cases, I will remove the extra data). Never a short-link in the email (example: bit.ly/Tbd87jh) If I go to a page with any type of login – especially one that looks like a popular website such as Facebook or Twitter – I stop.

Curiosity may get my cat, but it shouldn’t get yours. That is, unless you take the same amount of precautions. Of course I also do it to make sure I can explain what you need to look out for.

Spam, botnets and Malware can be big business for those who utilize it. They prey on those who don’t know better. They make new tricks to take your hard earned money. The only way to really turn the tables now is to sit down with the kids like you are going to tell them the birds and bees, but in this case, it’s a discussion on how SPAM is bad.

Don’t forget to also sit down with Mom and Dad and have that same discussion.

Whenever I want to feel fearful and depressed I usually visit one of the news websites. Earthquakes, murder, war, theft, snoops, kidnappers, recession, depression, corruption, and all other sorts of horrible news. When I read the news sites I’m reminded of how unsafe the world is. Soon I tire of the bad news and move on to investigate the net for news on tech and design. Today Foxnews.com had the audacity to remind me that I am unsafe even on the web. The site highlighted the news from Microsoft that thousands of Hotmail passwords had been exposed. It scared me to death. I nearly jumped to my Hotmail account before I even finished the article. Reading on I discovered that Microsoft had deactivated all the affected accounts until true control could be restored. Why do I care? Hotmail only collects my spam from sites that demand an email address. Hotmail lets through all the other spam anyway! But I digress.

The point of all this is: we are never safe. Their is no safe haven in the world or the web.  Every company does it’s best and so must we.  Yet, sometimes problems may come. If we live with that understanding we can truly do our best to protect ourselves. When we react in panic there is not a clear path of thinking. So with this reminder of our web-identities fragility, what should we do? Let’s refresh four basic email and online account rules:

1. Always use a secure password. Your birthday, name spelled backwards, address, mothers name, dog’s name, middle name, favorite food, and initials hardly qualify. Use one of the many free random password generators on the web or if you insist on an easier to remember one then create a mixture of information that you can remember. For example and purely fictitious: !S1eP99t9 This could be a combination of the month and year you and your spouse were married. Now while I would only call this a basic password it sure beats “Fluffy”. Of course if you want your bank account to be protected by Fluffy, then more power to you.
2. Never use the same passwords for multiple accounts. For that matter don’t do what I did at the start and use the same password with just the last letter different! Why would you want someone to have a free-for-all with all your accounts? Use different passwords and find an open-source or free password vault. I personally love 1Password for the Mac.
3. Change your passwords periodically. I must admit it takes the misfortune of someone to remind me to do this.
4. Don’t use a public computer. Many public computers are not adequately protected against the installation of malicious password key logging applications. Just don’t log in on a public computer. Just say no. And certainly don’t buy something online with your credit card information! Browse the web on it, read the news, just don’t give any information.

I understand these are basic tips, but sometimes we just need to be reminded to stay alert and on guard.  Kind of like reminding our kids to wear their helmet when they ride a bike.  Resist the urge to become lazy online. I don’t want to read about you on Foxnews.com.

According to a recent study by the Messaging Anti-Abuse Working Group, subtitled “Of course, I never reply to spam – except sometimes,” we are clicking on spam more often than may be assumed.  According to the survey, half of the respondents clicked and/or replied to spam messages for the following reasons:

• Clicked on it by mistake: 17 percent
• Not sure why they did it: 13 percent
• Sent a note to complain about the spam: 13 percent
• Interested in the product or service: 12 percent
• Wanted to see what would happen: 6 percent

Further, the study states that 1 in 6 users actually responds to a spam message in some way, and up to half of those purchase a product or service offered in a spam email.

Doesn’t sound like a lot, but when you consider how many millions of spam emails go out every day (it is estimated that 85% of all email being sent is spam), that is a considerable number.  A spammer’s overhead is very very low; even a few sales will line a spammer’s pockets quite nicely.

I always wonder who it is who buys this stuff.  Besides – ahem – “male enhancement” products, I also see spam for hair growth, weight loss, and physical fitness products.  And there’s the millions of insurance offers, mortgage offers, and the Nigerian scams as well.  Is anyone really dumb enough to apply for a mortgage through an link in an unsolicited email message?

Obviously, someone is, or the spammers would have no reason to exist.  My husband is always looking at spam and clicking on things, “just for the fun of it,” he tells me.  I keep reminding him this is why I have to keep his computer so locked down, because at least 20% of those messages include links to either dangerous software, or to Internet sites that will infect your computer.  He seems unwilling to be trained, ergo, I’ve got him so throttled his computer can barely function.

I feel bad for those that don’t have a household techie that can take the sting out of spam-clicking.  Spammers are like drug dealers:  they would have no income if it weren’t for the fact that people were actually buying what they were selling!  When people stop responding to spam, the spam will go away.

I guess its my own fault for being called Matthew, but my email address (almost all of them) start with a letter that means I get more spam than those with other starting letters. Those letters are “A”, “M”, “S”, “R” and “P”. Email addresses that start with these letters on average have 40% of their incoming messages being spam.

The results of a study by the University of Cambridge and reported by the BBC looked at around 550 million emails going to a British ISP to determine what factors could attract spam and found the link to how the first letter of your address can affect your spam levels

The most popular letters for spammers were “A”, “M”, “S”, “R” and “P”. about 40% of all the messages arriving in the e-mail inboxes of accounts with addresses that had one of those characters as their first letter were junk. Much less popular were “Q”, “Z” and “Y”. For these cases, spam was running at about 20% or less.

Other factors were a bit more obvious, like having email addresses that are susceptible to dictionary attacks and having multiple addresses that are the same name at different domains. What annoys me about this study is that they were able to identify which messages where spam a lot better than my ISP. I might do well to change my name to Ziggy.

To follow up from Todd’s mention on the Podcast today, officials have found the Spam King: Edward Davidson, his wife and daughter in a murder-suicide. Apparently the Spam King and family were found 25 miles out of Denver in an SUV. All three were shot with indication that Edward pulled the trigger.

Here is where the story gets weird. There was a 7-8 month old boy that was also in the SUV and was unharmed. Also, Edward shot a Teenage girl who then ran for help. She was treated at the local hospital.

Davidson was serving 21 months in minimum security prison for sending email using hijacked computer networks.

It is a sad, tragic ending to this story. Nobody should take lives like that, whether it’s their own or somebody else’s. I am just speechless.

We all knew it, and now the Virginia Supreme Court has confirmed that spam does not count as protected free speech. Jeremy Jaynes, a prolific spammer sentenced to 9 years prison had appealed on constitutional grounds claiming that denying him the right to spam violated his 1st amendment rights. If this appeal had been granted it would have forced states to rethink their anti-spam laws.

Not that this will really mean much for the volume of spam on the Internet. The advent of the laws in the US simply meant the portion of spam that was being produced by American ‘business men’ moved to former Soviet and Asian countries. At least the control of the spam has. The origins of the actual messages are wherever there are people with bots on their systems. The dispersal of these closely matched to distribution of Internet users, unsurprisingly.

It disturbs me that I might say something positive about a spammer, but I must admit that I respect the ingenuity of this.  Reported by the BBC, spammers have invented a windows game that progressively displays more of an image if the player correctly decodes a distorted phrase.

The image is tuned to the male libido (of course) and the phrase to be decoded is a Captcha from a free email or comment entry window.  The Captcha is collected by an automated bot that tries to post or register at a protected site.  It sends the Captcha back to the player of the game and if the player correctly guesses it, they get to see more of the image and the bot gets past the protection.

From the report this system is not particularly prevalent at the moment, and hopefully the anti-virus vendors will treat this as a threat and block it, even though it poses no risk to the computer it is installed on.  It is yet another demonstration though that there is no protection that can stop human resourcefulness.  Shared access and protection are mutually exclusive.

The only way to stop spam is if we can find a way to stop it working.  If everyone just deleted it there would be no reason for it to exist.  It will be interesting to see if the increased IT literacy over time changes the efficacy of spam.

As many of you know that listen to my show you have been hearing me complain about the amount of Spam I have been getting. I have been looking all over the net for a solution and those that I found where either too expensive or they were made for people with small volumes of mail.

As I was talking to Angelo he and I decided to try a Google Service that has been around for a while in beta testing. We both have used Gmail quite a bit and I know it is as good or better than the Spam checker we have been running on our own servers. Up to this point we have been using Qmail with Spamd and several others utilities to filter the mail and scan for viruses.

I decided to take the plunge and applied for a couple of domains tonight and within about 20 minutes I had the mail moved over to Google and was down-loading it into outlook like I always do. I logged into the very familiar Gmail interface and instead of a Gmail.com domain I was not on my very own geeknewscentral.com domain.

So I have been watching the filtering here for a couple of hours, and can tell you so far I am very happy, the true test will come in the morning when I down-load my mail as normal, and then cross check on the Google site to see how much Spam it has caught that I have not had to deal with it. If it works out we are going to see if we can move over a few more domains.

What amazed me was how easy it was to setup, Google has done a really good job here, I am sure that some people would be very worried about having Google host their e-mail and I am not a 100% sure how I feel about it yet. One thing for sure,  I feel pretty good that none of it will go missing. [Google.com]

 In what I can only describe as sure stupidity on a judge’s part it seems that one of the organizations that keep a lot of Spam out of your inbox may be in trouble over a recent lawsuit. It seems after being sued by an accused spammer and then not showing up for the court case they lost by default.

Spamhaus is a volunteer group that is well respected but if this judge shuts them down it could spell big trouble for ISP’s worldwide that rely on them to curb the amount of Spam in your inbox. It’s really sad that apparent spammers have more rights to abuse people than those of us that are not abusing the Internet! [Techdirt] [Ambersail]

We have been using all of the regular stuff you use on ones own dedicated server but I will be honest the Junk mail is killing me. I have started to hunt for a solution out there that will help with the situations. What I would like to use is a service like JunkMailFilter.com but there site design is such I cannot even figure out how to sign up with them. Pretty sad when the site is not intuitive enough to figure out how to setup an account.

I also don’t care for how their pricing is tiered I will need more than a thousand inbounds a month but I need a lot less than there next level of service. If you have a good solution that you are using I really would like to here from you as I am about to get a solution that will help me deal with all the junk coming in.

I often ponder that exact question when I hit send. The majority of time I think the e-mail makes it but there have been times when e-mail just goes missing. Last night I sent out over a 100 invitations to podcasters I have been following online inviting them to to become content producers on the Podcaster News Network how many of those went missing is unknown but it can be scary.

Next week I send out over 500 e-mail to parties that have been clamoring for information about a new podcast site we are launching called Blubrry I am very concerned that some of those e-mails will just get sucked up and destroyed by Spam filters. But in the case of one company that was bidding on a school contract the school awarded a contract that cost them $250,000 more because a spam filter tagged a inquiry the school had sent out on the bid. Bad news for the contractor, bad news for the taxpayer and with both parties headed to court more money will be lost.

So just how much e-mail is your company loosing? [www.ajc.com]

In a very interesting turn of events Spammers are not happy about getting a taste of there own medicine and have started an essential war between one company that is fighting back against spammers. [Wired]

I did not realize this but apparently there is a fairly organized group of about 5000 people that pick a spammer site a day to go after. The results have been pretty good in a sense they are fighting fire with fire. Interesting read on the S*pam King Blog that tells of one spammer begging for them to stop. I think as Spam continues to rise we will see more people taking it upon themselves to go after these annoying scam artist sites. [S*pam King Blog]