Boxbe Blog

The Associated Press is warning email users yesterday to be wary of coupons that they have received via email.

Instead of money saving deals, e-mailed coupons could lead recipients into “phishing” schemes where the consumer is redirected to a copycat site, whose real purpose is to siphon the user’s credit card information, passwords and other financial data, IBM Corp. security executive Christopher Rouland warned.

If you are a Boxbe member and have approved email from say Amazon.com, messages from a an address that claims to be from Amazon, but really aren’t, won’t make it through to your inbox.

Boxbe uses two email authentication methods (DKIM and SPF) to verify that the emailer is who they claim to be. DKIM and SPF are two email authentication standards backed by Google, Microsoft, Yahoo!, and AOL. Boxbe blocks messages that come from senders who claim to be someone that they are not

Be safe out there this holiday season and let us worry about your email.
Read

image from Flickr user skrewtape.

It’s been a while since we’ve posted any news about other places here on the blog, but that doesn’t mean we haven’t been watching. Here’s the latest and greatest from the world of email.

Happy 10th Birthday, Yahoo! Mail
We’ve had a great time working with the team down in Sunnyvale on the new Yahoo! Mail application and wish them the best on this momentous occasion. Congrats!

Yahoo Mail to block fake eBay and PayPal e-mail - CNET News.com
Good news for eBay and Paypal users, Yahoo! will be blocking spoofed emails from senders claiming to be Paypal and eBay. We have to applaud Yahoo! for taking steps to curb these phishing emails.

Mac e-mail showdown: Which program delivers? - Computerworld
Looking to switch email apps on the Mac? Or maybe coming from the PC world and wanted to know what your Mac options are? Computerworld takes a look at Mail.app, Thunderbird and Microsoft Entourage desktop mail applications for OSX.

Techies take on spam zombies -San Francisco Chronicle
“Computer scientists in Menlo Park are releasing a free diagnostic program today to help network administrators find PCs infected with an insidious new type of virus that has already tainted millions of computers.” Strangely, SFGate doesn’t link directly to the software page, but if you want to check it out, go to the BotHunter Free Internet Distribution Page.

Ever wonder where spam, viruses and malware come from? Apparently, it comes from the mob.

Tony Soprano, spammer?

Auckland, New Zealand based computer security expert, Peter Gutmann has an informative presentation on the subject here. Malware, it seems, has become quite an industry and Gutmann posits that much of it is being ran by various mafias around the world.

Organized crime recruit so-called “script kiddies” that are writing malware and viruses for fun and pay them to turn their software into money making machines. Gutmann cites a number of internet business practices that have been employed by such as “Malware as a Service,” making it easier than ever to spam people.

A deal you can’t refuse

Gutman, the self proclaimed “professional paranoid,” goes into a high level of detail of exactly how people in the malware industry make money.

Here are a few examples:

• $1 per credit card numbers down to the verification number
• $40 credit card, with date of birth and social security number
• $1000 for 10,000 compromised computers.

Additionally, he takes a technical deep dive into how malware authors hide what they are doing.

If you are an aspiring spammer or virus maker, this is must read. For everyone else, read the end of the document about how to keep yourself safe.

Peter Gutmann
Economics of Malware pdf
[via Metafilter]

McAfee released an interesting report this week about the mind games that spammers play on people and as eWeek called it, why we click on these emails.

From the “Say “No Thanks” to Unwanted Email” white paper from McAfee:

“Scam spam works best by providing recipients with a sense of familiarity and legitimacy, either by creating the illusion that the email is from a friend or colleague, or providing plausible warnings from a respected institution,” Dr. Blascovich noted. “Once the victim opens the email, criminals use two basic motivational processes, approach and avoidance, or a combination of the two, to persuade victims to click on dangerous links, provide personal information, or download risky files. By scamming $20 from just half of one percent of the U.S. population, cyber criminals can earn $15 million each day and nearly $5.5 billion in a year, a powerful attraction for skillful scam artists.”

For me, I like to keep spam out of my inbox altogether and thankfully that’s what Boxbe does.

The report goes on to talk about how most people are susceptible on some level to convincing spam and attacking base human emotion can fool almost all of us some of the time.

Personally, I’m still waiting on all the money to come in from Nigeria.

photo from Flickr user fabbio

This morning’s Seattle PI cover story reports that alleged spammer, Robert Soloway has been arrested under a provision of the 2003 CAN-SPAM Act.

AP Legal Affairs Writer, Gene Johnson reports that Robert Soloway is being held on “a 35-count indictment … charging him with mail fraud, wire fraud, e-mail fraud, aggravated identity theft and money laundering.”

Soloway has previously lost two civil lawsuits resulting in fines of seven and ten million dollars, but this is his first criminal indictment.

“He’s one of the top 10 spammers in the world,” said Tim Cranton, a Microsoft Corp. lawyer who is senior director of the company’s Worldwide Internet Safety Programs. “He’s a huge problem for our customers. This is a very good day.”

Allegedly, Robert Soloway was using so-called “Zombie” computers (or botnets) to create his attacks. Federal agents have been quoted as saying that Soloway was responsible for billions of spam emails and that we should expect a drop in spam as a result of his arrest.

Spam Wars author, Danny Goodman disagrees:

I don’t care how big a spammer Soloway allegedly is; his contribution to the 63 billion spam messages per day (Ironport) can’t be so big that we’ll even notice the absence. Additionally, there is no way of knowing how much of his process is automated and already in the hopper waiting to spew. Also, he was taken into custody before 8:00am PDT yesterday. Spam volume here yesterday was (alas) quite normal.

We tend to agree with Danny as we’ve seen no marked decrease in quarantined messages, but nevertheless, it’s good to see such a notorious spammer brought to justice.

More discussion and commentary

Slashdot
CNET
Richi Jennings
Valleywag
John C. Dvorak
Tingog.com
Boing Boing
Download Squad
TechDirt

image by Flickr user r80o

A few days ago, Domain Keys Identified Mail or DKIM, was approved by the Internet Engineering Task Force (IETF). DKIM is one of the standards that we use at Boxbe to keep your email safe from phishing attacks and fake emails in general.

What is DKIM?

From Yahoo:

DKIM is an email authentication framework that addresses the widespread issue of email forgery, using cryptography to verify the domain of the sender. It allows email providers to validate an email’s originating domain, making use of blacklists and whitelists more effective. It also makes phishing attacks easier to detect by helping to identify abusive domains.

DKIM is good for the internet and will help detect forged email addresses. However, DKIM alone won’t stop spam originating from non-faked addresses nor will it stop other forms of unwanted email. Email expert Richi Jennings says “At best, they give a partial indication whether a message is spam or not, but their main use is to allow recipients to look up the reputation of the sending domain.”

The UK’s PC Advisor says “To make it work, DKIM now has to be adopted and incorporated by independent software vendors into their email applications and related infrastructures.”

That said, this is a step forward in stopping phishing schemes and other illegal activities that originate from non-authenticated senders and we are happy to see the DKIM standard approved and hopefully more widely adopted.

More about DKIM

DKIM Workgroup
DKIM FAQ
Yahoo! Anecdotal

More discussion of the standard approval

Promising antispam technique gets nod - CNET News
IETF backs new cryptographic scheme to battle the effects of spam - Ars Technica
Junked: Is this the end of spam and spoof email? - Silicon.com
Bye Bye Spam and Phishing with DKIM? - Slashdot.org
New Spec Could Cut Phishing, Spam - Dark Reading
IETF approves DKIM to fight spam and phishing - A Canadian Geek
Why DKIM will fail - Spin on Cue
Promising new anti-spam techique gains key approval - Geeks Are Sexy

photo from Flickr user lordcuauhtli

In an earlier post, I mentioned a spammer who was phishing getting convicted and facing up to a 101 years in prison as a result. But what exactly is phishing?

Photo by Flickr user thermodynamix

Wikipedia defines phishing as

“a criminal activity using social engineering techniques. Phishers attempt to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an electronic communication. Phishing is typically carried out using email or an instant message, although phone contact has been used as well. Attempts to deal with the growing number of reported phishing incidents include legislation, user training, and technical measures.”

In a nutshell, phishing is something criminals do to trick people into giving them sensitive information. The stolen information is then used by the criminal for further illicit activities.

Boxbe and phishing

So, what does Boxbe do about phishing? First, the only email that you receive when using Boxbe is from senders that you have approved, have passed a human test or have paid a fee. Second, we use two emerging industry standards, SPF and DomainKeys to increase the likelihood that the sender isn’t spoofing or faking their email address.

Is it a 100% solution? No. Unfortunately, we can’t guard against all forms of social engineering or deception. What we can do is guard against emails from entering your inbox that make false claims as to their point of origin. The rest is up to you.

Learn more about phishing

We suggest that everyone educate themselves against phishing. Here are some great places to learn more about phishing:

• Microsoft - Recognizing phishing scams and fraudulent emails
• Tips from Fraud.org
• Paypal Security Center
• CNET - How to avoid phishing scams

Score one for the good guys.

photo by Flickr user assbach

Goodin, who was arrested last year, was found guilty of operating a sophisticated phishing scheme, the prosecutors said in the statement. As part of the scam, he sent e-mails posing as AOL’s billing department to trick people into giving up their credit card information, according to the statement. He then used the credit card data to make purchases, prosecutors said Tuesday.

While he won’t get a 101 years for just spamming, this case is a perfect example of how spam can be tremendously harmful to people.

Be careful out there.

Read