Today happened what I thought it was impossible: I received spam on my username’s alias email address registered at sourceforge.net.

Fig. 1: A simple but effective spam

Sourceforge.net is the world’s largest open source software development web site. I have an account there since I was a student and started to work as volunteer for an open source project. I still do, even if with not the same intensity as before. Sourceforge is known for its very aggressive anti spam measures. The Spamassasin software at sourceforge.net has detected correctly the email as spam, but why didn’t it stop it for being delivered?

Fig. 2: The mail is correctly flagged as spam.

The spam mail I’ve seen this morning consists just of one line of text. The only thing which allowed an anti spam filter to detect the message as spam was the fact the link inside was blacklisted because of hosting a spam website and that the IP address from the Received headers was already blacklisted.

So, everything is ok, but why did I receive the email even if it was flagged correctly? The website does say something about the email aliases that simply receive whatever comes there: “Any email sent to a user’s mail alias is automatically passed to the email address that is on file for a that account.”

Well, this is very nice – but very wrong: To test this, I’ve sent an email from my email account at  work (domain is avira.com), but it was immediately whitelisted because of the many security features that our admins support (DKIM, Signatures, reverse DNS, etc.). So, it went through the filter.

I’ve sent another email from another email address having attached the well know GTUBE test file. Now everything was different, the email was blocked and I received immediately a nice email making fun of me:

Fig. 3: Spam that is not automatically forwarded.

So, why all this happened if Sourceforge doesn’t automatically forward any email sent to the users’ aliases? I don’t know, but I will surely ask Sourceforge. I will blog again if I receive the answer from them. Oh, by the way, Avira Premium Security Suite also correctly marks this kind of email as spam.

Update:

After writing to the Sourceforge Support an email, I received the answer below in less than an hour. I must say that I was pleasantly surprised for such a fast response time, considering the fact that Sourceforge gives all these services for free to the programmers.

“At SourceForge, we do our best to prevent spam from reaching our users. However, it isn’t possible to prevent all spam from getting through, and you will occasionally see examples like the one you’ve provided. We are constantly updating our filters and anti-spam techniques, though, so you should see this problem resolve itself in the next day or so. If it persists, please let us know.

An additional step you can take is to filter based on the “X-VA-Spam-Flag: YES” header, which we apply to email we suspected of being spam. Finally, we recently added the ability to control what sorts of email you receive through your email alias; you can find this feature on your Account Options page.”

Sorin Mustaca
Manager International Software Development

Everyone knows about the already classic “Advanced Fee Fraud”, also known as the “Nigerian Scam” (http://en.wikipedia.org/wiki/Advance_fee_fraud). But, not everybody has seen the Japanese version of this scam (Figure 1).

Fig. 1: The Japanese scam

This is a very fancy scam: We usually see the same old story about very rich men who were killed by the government and the poor relatives trying to get the money out of the 3rd world country with your help. But this one is different.

First of all, it thinks big. Very big… really, I have never seen such an idea before: “I made this money through a contract awarded to me by the ministry during the relocation of OSAKA AIRPORT”. And it gets even better: “I am not safe if I go back to Japan because I did not finish the contract“. So now the Osaka airport should be somewhere… on the road? This is really nice, isn’t it?

If you have a look at the main header, you see the From, Reply-To and Sender fields. The sender field isn’t seen in an email very often because it is somehow in a gray area. According to RFC 822, this field should be used only when the person submitting the message to the network is different than shown by the “From” header field. Because of this, it should be authenticated, but what kind of authentication is not clear. Some mail clients expect that the email address used in this field can be used to reach the sender, others do not. Because of this uncertainty, most email clients prefer either to remove this field completely or to add a hidden field in the headers with the name “X-Sender”.

So, is our “Japanese contractor” using deprecated mass mailing software?
Note that there is no “To:” field. Of course, any decent anti spam product will penalize this email when it detects something like this.

According to the other headers, the email is supposed to have been sent though Gmail. There are even the DKIM headers and a new header called “X-Google-Sender-Auth”. Google doesn’t add something like this though. All these indications show that the spammer has used a special software to send mass mailing though the Gmail. It is really sad to see that Google doesn’t enforce a clear email sending policy though its servers.

But, because of these twists in the email, I assume that the spammers thought it wouldn’t be so bad to have an escape route. This is why the Reply-To email address points to yahoo.com.hk (Yahoo! Hong Kong).

Unfortunately for the spammer, after all this trouble just to send the email, it made the same mistakes which all the Fee Fraud emails make: It uses known keywords like “million dollars”, “Att: My name is”, it tries not to add the formal way of addressing in the From text (“Mr. ”) but then uses an email address called mr.otoya22@gmail.com and the formal addressing in the Subject. These are also other important hints which can help an automated system for spam detection to safely mark this email as a scam.

Avira Antispam detects this email with a “Very High” spam probability without even calling any Realtime Blacklists – no wonder since we see so many spam indicators. As usual, Avira advices to never respond to such emails and never trust such persons who promise huge amounts of money.

Sorin Mustaca
Manager International Software Development

As we were predicting upcoming threats for 2009 in the end of last year we now checked whether our guesses were correct. Unfortunately, they were.

We predicted that the use of polymorphic file infectors will increase again. This became true: W32/Virut, W32/Sality and W32/Almanahe are celebrating a comeback. The authors spread new variants of their polymorphism-engines. It seems that even older versions of those polymorphic viruses are still widespread, but W32/Virut is releasing the most updates – several dozens in the first six months of the year. The good news is that our detection routines withstand these bypass attempts.

Spreading malware via manipulated PDF documents still is one of the top threats on the Internet. In the last months the amount of exploit PDFs showing up for the vulnerabilities in PDF readers significantly increased – in the first half of 2009 we received several thousand samples. Every week the malware authors spread around ten newly obfuscated exploits, which in turn got used for plenty of PDF files each. We’re regularly releasing updates for new modified PDF exploits when necessary. Users should update their PDF readers regularly anyhow as this mitigates most of the threats.

As attack vector for infections of computers web-borne malware is further increasing. The malware gets more and more installed via drive-by-downloads, where the attackers hack into web servers with legitimate content and add references to their malware servers. Those servers then install for example trojans and/or bots on the vulnerable computers. It seems that there are plenty of construction toolkits out there with which anyone can produce malicious JavaScript simply by the click with the mouse: Malware-features like encryption, heap-spraying and shellcode seem to be more modular and repeating in parts of the malicious web pages we analyzed.

The usage of a recent antivirus product will help protecting from these threats. The WebGuard of our premium products additionally very efficiently remedies the web-borne malware distribution.

Dirk Knop
Technical Editor

Browser developer Opera today introduced a new feature of its upcoming browser generation 10 with the code name Opera Unite. Basically Opera added a web server to the browser and offers a dynamic DNS service along with it. So everyone can provide content on the Internet from his own computer. And due to the dynamic DNS service with a fixed domain like http://<mycomputer1>.<myusername>.operaunite.com/.

This does sound great and many people would like such a feature. Anyhow, I got scared when reading the news about this feature. Imagine, other browser developers like Mozilla, Apple or Microsoft would add such a feature, too! Everybody would be able to share documents publicly. And executable programs. But who makes sure that those aren’t infected or Trojans themselves?

Plenty of malware uses for example the shared folders of file sharing programs to spread itself; there is no reason not to use a web server which is accessible by everyone with a web browser – and not just for users of a file sharing program. The spreading mechanism can be very simple: Users could get a mail or instant message with a (proper) link to the malware. Or such a link is on another web site.

One indicator for antimalware programs can be a suspicious IP-only address where the executable file is located. Now it can be served with a fully qualified domain name, disabling this indicator (as http://a.b.operaunite.com/malware.exe looks less suspicious than http://143.145.23.45/malware.exe even to the human eye). Before adding such a feature to the browser/server combination for example a so called fast-flux DNS was necessary for adding a domain name for the infected computers. Additionally, a malware author doesn’t need to code an own web server anymore – just reconfigure the browser!

The idea of adding a web server to the browser sounds nice. But it has to be done correctly. Else we might be facing a new dimension of drive-by-downloads (or -uploads) and hacked “servers” in the near future.

Dirk Knop
Technical Editor

As announced, Microsoft released 10 security bulletins with according updates today. They fix 31 security vulnerabilities in the Windows Operating Systems, in the Internet Explorer and in Office. Make sure to install them ASAP!

Adobe also had its first patch day and fixes 13 critical errors (and some undocumented flaws) in Reader and Acrobat. They recommend to update to Adobe Reader 9.1.2, 8.1.6 or 7.1.3, depending on which branch of Readers you need to use. Links for downloading the updates are provided in the security bulletin. These updated versions should be installed as soon as possible, too!

Dirk Knop
Technical Editor

Microsoft today announced that it plans to publish 10 security bulletins on the upcoming patch Tuesday. 6 Bulletins are meant to deal with Windows Operating System flaws – 2 of them are considered critical. For Microsoft Office, Word and Excel the company wants to release 3 security bulletins with a critical rating. The updates now also close a security vulnerability in Office for Mac which was fixed in the Windows versions already last month. Another bulletin has updates attached for the Internet Explorer.

A patch for the recently discovered DirectX vulnerability which gets already actively exploited in the wild is still missing though. On Microsofts Security Response Center Blog they explain that the patch still hasn’t the quality that is needed for shipping. Fortunately, the “Fix it for me” buttons in Microsofts Knowledgebase article finally work and deliver an msi installer package. Until a patch is provided, users should apply this hotfix.

Dirk Knop
Technical Editor

A new wave of phishing messages targeted at World Of Warcraft players has appeared these days. The messages follow the same pattern: the “From” field is spoofed (trying to make the user believe that the message comes from Blizzard) and the body of the message talks about the user account being under investigation and suspended. The messages also say that all this happened because the user presumably violated the Terms of Service or the Blizzard EULA.

Fig. 1: This is how the phishing mails for World of Warcraft accounts look like

The user is requested to fill out an online form, to verify that she is the legitimate owner of the account. Of course, the online form is on a fake, rogue website that has no connection with Blizzard whatsoever. (http://battlenet.account-verification.***.rehash.net/). This makes it fairly easy to spot that the message is a scam.

The message is well conceived; it starts with “Greetings”, as many legitimate messages from Blizzard do. Unlike many other phishing messages, its content is also grammatically correct and without spelling mistakes. Maybe the phishers finally managed to find someone who can write correctly?

Vlad Dinulescu
Software Engineer (International)