Friday, December 31, 2004

Fighting Spam

Spam is out of control and there is little that can be done.

Changing your email address and not using your primary email address for buying things on the web, post info to website or having it listed in text format on your web site or any web site helps eliminate most all spam. List the email address as an image instead on your web site. You can check to see where on the web it may be listed by doing a Google search on your email address.

If you are still using your old email address and that address is receiving all the spam, you can set an Outlook rules wizard to route that email to another folder that you can call spam. That will clean the inbox, and makes it easier to review the spam and delete it. Note: I didn’t say stop it…

When receiving spam the best things to do are: Do not respond to it, don’t preview or open it. Previewing it only lets the spammer know that you are a valid address. Inside the spam are hidden images that point back to the spammer with your email address letting them know that you opened/previewed the spam email.

These evil spammers do send all kinds of graphic, sick adult related material and right now there is little technology or the legal system can do about it.

There are some counter measures that I can take on your server to turn up the heat to reduce some illegitimate spam spoofing such as a reverse lookup on the sender before accepting the email. However, this will deny email from company’s that do not have there email systems configured correctly or an ISP doesn’t have their DNS servers configured correctly. It is estimate that some 35%+ systems are not configured correctly, hence the reason why it is off by default.

Turning it on will result in a partial reduction in spam, but will deny some legitimate email which will lead to additional costs for our time to investigate why a sender can not send you email as we track down where the issue is. I do this research all the time and it does take a little time, but takes more time coordinating with the senders ISP to correct their DNS configs so they are not spoofed by spammers.

Another option is having multiple email address. Use certain addresses for certain functions. Since you own your own email server you have an unlimited amount of email address variations that you can use. Having multiple address allows you to track and route inbound email.

A company called GFI has several products worthy of using. Their Mail Essentials is a great Bayesian anti-spam product. Using it along with the Mail Security will help curb virus bombardments as evil email. I really like these products.

$500 Mac!!! for Everyone?

If this story is true reported by CNN that Apple will be selling iMacs for about $500 in 2005, I think there will be a lot of people switching over to the the Mac. Price has always been a issue with switching to a Mac for many users. For the same money or less the buyer could get a Windows computer that had more horse power and cheaper accessories. A $500 Mac would put a halt to that mind set and give Windows PC's a run for their money.

I am not a Mac user now, but at $500 I would buy a Mac.

Thursday, December 30, 2004

Anti-Spam Detection Algorithms

There are two basic methods of SPAM detection algorithms Heuristic and Bayesian.

Heuristic is a fixed algorithm that guesses at the email if it is SPAM. It is not updatable. Once a Heuristic algorithm is defeated it becomes worthless in detecting SPAM.

Bayesian has to learn over time what it SPAM and what is not SPAM, but is adaptable and updatable. Spammers are constantly changing the way they send spam such as v1agr@. They have 1.000’s of new ways to try to get around detection.

Hotmail is a good example. They have deployed a new Heuristic SPAM filter that that completely stops all the junk from getting into my inbox. Well that lasted for about 2 months. Now I still don’t get the old junk mail, but because a spammer has figured out how to defeat it, I am getting 30 identical SPAM emails a day on that account.

Bayesian is better as it allows you to adapt as the spammers adapt.

Wednesday, December 29, 2004

Geek Cruises


Are you looking for an education vacation? Check out Geek Cruises. They have digital photography, Mac Mania, iPods, Linux, Perl, Web and Windows Cruises. The next up cruise is on The Queen Mary 2. The largest cruise ship that is three times the size of the Titanic.

Geek Cruises--computer education for geeks & consumers

Spies Among Us


1. Identifying the problem.

This past weekend while troubleshooting several customer computers a horrible discovery was made that has dealt a sever blow to the war on spyware. Utilizing the three alternatives together from our paper it has been determined that it is still not enough to combat spyware, due to recent deployments and changing landscapes of anti-spyware software. The latest versions of anti-spyware software will no longer detect and remove certain well known and notorious spyware applications. In fact not only do they no longer detect key spyware, all references on the anti-spyware vendor’s websites have been removed about the known spyware. Commercial and Freeware anti-spyware has become completely useless in the war on spyware, and there is tremendous loss in trustworthiness in these products. We now have to seek new ways to combat against the epidemic menace that is plaguing everyone’s computers.

Spyware is technical slang for Adware. Adware is software the phones home and reports the actions of the user where the software is installed. Adware attempts to deliver targeted advertising based upon what the user is currently doing. Adware is called spyware because of its monitoring type of behavior and it methods of collecting data. Spyware is typically software that is free and is supported by advertising. However a number of companies have taken this concept beyond simple ad placement. Some spyware software tracks the user, what applications they use, documents they write, web sites they visit, products they buy, credit card numbers, user names and passwords, parses the users address book and monitors over all computer usage. The spyware companies claim that this is done in order to deliver targeted advertising to the user.


2. Defining the criteria, goals, and objectives.

A computer user should be able to surf the internet and do personal computing without the hassle of ads constantly popping up trying to get you to buy Viagra. Today’s computer operating systems are really stable as compared to years past with the constant normal crashing of Windows 98. With operating systems such as Windows XP being more stable that ever, it has allows the rapid propagation of malicious software. This software is often poorly written, unstable, degrades systems performance and causes systems to crash or reboot.

The objective and goals are to allow the user to enjoy the stability of their operating systems and be more productive in there work. The criteria is to completely prevent malicious software from gaining access to the computer and denied it the opportunity to conduct its evil business.

Since desktop based anti-spyware has become less affective in the war against spyware, alternative means must be identified, tested and deployed along with the other methods of spyware prevention as a total combined solution.


3. Evaluating the effects of the problem.

Spyware is not only an unwanted invasion of your personal privacy, but can damage and destroy personal data. For example during the routine maintenance of a computer, one of my techs was asked to uninstall some old junk software. The tech did as she was asked to do and rebooted the computer. The computer attempted to reboot, but was hung in a continuous reboot cycle and failed to start in any mode, normal mode, safe mode or advanced recovery mode. As a result the tech was left with no choice but to reload the computer from scratch as that was the fastest and most economical way to recover from the problem. It was later determined that the computer was infected with spyware called “Blazefind” as it known to cause this very problem as it was not written with the fore thought that a user might uninstall certain software. As a result the spyware cause the continuous reboot, because it could not find the dependent program that it has become a parasite to use.

Spyware also degrade system performance to a point in which the user is waiting for programs to load and process on an otherwise lighten fast computer with the latest and greatest hardware.

The direct results are a loss in user productivity and system stability. This increases labor cost, support costs and an immeasurable amount of loss in intellectual property and trade secrets.


4. Identifying causes of the problem.

The current issue of trusted anti-spyware software not detecting known spyware is being caused by the anti-spyware vendors themselves. Through much testing I have determined that the anti-spyware companies have silently removed from their applications the abilities to detect and remove known spyware from a user’s computer. Also all references to the spyware have been removed from their web sites and can only be found by searching the archives of Google.com’s cached websites. Desktop anti-spyware applications such as Ad-Aware, Spybot, Webroot, and Pest Patrol no longer detect the following list of top 5 spyware applications that we tested in our labs:

· GAIN also known as Gator and Claria http://www.gator.com/
· Hotbar http://www.hotbar.com/
· New.Net http://www.new.net/
· MySearch http://www.mysearch.com/
· SaveNow http://www.whenu.com/


In some cases such as SaveNow this spyware promotes itself to be spyware free and champions the cause to fight spyware. When indeed it is the very evil it declares that it is not. Ad-aware has a web page that defines what it declares to be spyware at their Threat Assessment Center (TAC) http://www.lavasoftnews.com/ms/tac_main.shtml.


Out of curiosity in our labs we decided to test to see if the notoriously well known spyware listed above actually met the TAC criteria, and that maybe the new versions of the software listed above might have stopped their old spyware ways.

We used third party network packet monitoring tools and SPY++ a Microsoft utility to monitor inter program communications and a process monitoring utilities to monitor hidden processes. This process monitoring tool was developed by one of the anti-spyware companies for this type of use on the local desktop to monitor for spyware like activities and communications. The results were no change in spyware behavior for all the listed applications according to the guidelines set by Ad-aware’s TAC.

Having spoken with my attorney about the matter, he concluded that it could be that the anti-spyware companies which are for profit were legally pressured by the spyware companies to have their products removed from the anti-spyware blacklists. This is a big blow to the war on spyware.


5. Framing alternatives.

Since we are losing the battle on combating spyware, desktop anti-spyware software is no longer detecting and removing known spyware, it is imperative that we find other means to combat against the problem.

To recap the three solutions from my learning team paper were stronger server based security policies deployed to the user’s desktop, desktop based anti-spyware, and end user education on spyware awareness. These three methods were recommended to be used as single solution. However one of the alternatives has been dramatically weakens and has become less affective. Other alternatives need to be implemented to strengthen the barriers of entry to spyware infection.

Alternative A: We can do nothing and keep doing things the same old way and continue to trust the anti-spyware companies as they should know what is and is not spyware. However we proved in our lab that the spyware not being detected is still behaving like spyware.

Alternative B: We could develop our own anti-spyware software to detect software that we do not want our users to download and install. The estimated budget to do a project like that would be somewhere between $100,000 to $500,000 in development costs with no guaranty that it will work, or be stable. Venture capital would be required in order to begin development and the development cycle maybe years away before it is ready for use.

Alternative C: We could seek other methods to stop spyware such as using a gateway server that can filter web content. A content web filtering server has a database that can be manually updated as well as subscribe to a service bureau for auto updating. Most content web filters server applications are used to prevent users from going to adult website such as porn sites. They could easily be adapted and updated to block known spyware websites such as http://www.hotbar.com/. Thus the user never makes it to the spyware application’s website. No desktop changes have to be made and most companies only have one entry onto the internet.


6. Evaluating the impacts of the alternatives.

Alternative A: Doing nothing is not a good solution. The spyware problem is getting worse and not having the proper tools to fight against its propagation will greatly impact a company’s bottom-line.

Alternative B: The expense is too great and would take to long to develop and deploy a customer software solution. There is no guarantee that it will work and no guarantee of a return on investment. In the meantime the overall companies will continue to lose productivity and labor cost and support cost could double the price of the self development of the anti-spyware applications.

Alternative C: Using existing security software applications and adapt them to fight a new problem will be a more cost affective solution and the return on investment is an immediate reduction on the loss of productivity, a reduction in labor and support costs. This solution is easy to deploy and will pay for itself in a short period of time. The only negative impact would be the in adverting blocking of legitimate web sites. This is easily overcome by approving the needed web site in the security database.


7. Making the decision.

Alternative C to utilize and adapt existing security software is the most cost effective and complete manageable and trustworthy technical solution to the replacement of the failing desktop anti-spyware software solution. The effort to find, test and deploy this new security software should begin immediately.


8. Implementing the decision.

Once a software package has been decided upon, all customers will be notified of the new option to fight the war on spyware. Once approved by the customer, it will be scheduled, installed, tested and maintained by our techs.


9. Measuring the impacts.

The measurement of success is easy as there will be immediate reduction of the loss of productivity, a reduction in labor and support costs. Additional success will be less user frustration, a peace of mind, secure and protected environments and a better bottom line. This success will ensure that there are no spies among us.