New Botnet?

Over the last 24-hours I’ve intercepted several emails containing malicious attachments in .zip files. There’s nothing odd about that, expect these are coming from ‘clean’ IP addresess.

Is this a new Botnet, spreading fast?

Yesterday the subject was “your mailbox has been deactivated” and they pretended to come from the IT support team at your domain name. If you don’t have an IT support team it’s a bit of a giveaway. The message continued:

We are contacting you in regards an unusual activity that was identified in your mailbox. As a result, your mailbox has been deactivated. To restore your mailbox, you are required to extract and run the attached mailbox utility.

Best regards, technical support.

Today they’ve got the subject “Payment request from , where the company varies.

Please generate and paste your ad code here. If left empty, the ad location will be highlighted on your blog pages with a reminder to enter your code. Mid-Post

The full text is:

We recorded a payment request from "" to enable the charge of $ on your account.

The payment is pending for the moment.

If you made this transaction or if you just authorize this payment, please ignore or remove this email message. The transaction will be shown on your monthly statement as "".

If you didn't make this payment and would like to decline it, please download and install the transaction inspector module (attached to this letter).

The interesting thing is that none of these have come from IP addresses that are currently listed as part of a botnet, known spam sources or anything. They’re completely clean. I’ve no proof that the two attacks are related, but I’m suspicious.

If anyone has more parts to the jigsaw, please share them with a comment.

How to prevent spammers getting your email address

Everyone knows this one, right? Just obey the following rules:

  1. Don’t give your email address to strangers
  2. Never post your email address on newsgroups
  3. Don’t leave your email address lying about on web pages.
  4. Don’t reply to spam – they know you’re reading it.

Unfortunately this advice is seriously out-of-date, although some emails are still harvested by spammers this way. People keep asking the question “I didn’t do any of the above, so how come I’m getting all this spam?”

What the American spammers are actually doing is using malicious software on innocent computers (installed using the normal virus channels). Amongst other things, this software searches the victim’s hard disk for all the email addresses it can find. It then sends the results back to be added to their spamming list. In order to have your email address added to a spamming list, all you need do is exchange an email with an infected PC – or a PC that becomes infected in the future.

As to item four, about never responding to spam, this is no longer the case. Spammers don’t use their real return address anyway. They track who’s reading their wares by embedding a reference to an image in an HTML email. When the message is displayed the image is downloaded from their server; when this happens they know who it was. Microsoft Outlook allows this to happen; Microsoft doesn’t appear to be in any hurry to fix it.

So what can you do? Not much! If you can, use disposable emails. For example, if you’re the secretary of a club and you correspond with a large number of people, some of whom are likely to be hijacked, make your email address ’secretary1@…’. When this is compromised, change it to ’secreatry2@…’ and so on.

A proper solution is needed, but there’s no political will to solve it. The identity of the criminals doing this is well-enough known; the American’s just let them operate virtually unhindered. Something to do with ‘freedom of speech’!