The Evolution of the Botnet - Enter HydraFlux

Over at the Internet Storm Center they have a lengthy and detailed write up on the next stage or evolution of the network of computers that make up the distribution channel for malware that ends up infecting our computers and making them the pawns for the Bot herders. In contrast to how you and I would setup a website on a dedicated web server at a collocation server farm the writers of this particular malware are using your computers to both host the malware content and direct the infection of other computers. What can we do to stop the malware writers? Is there any hope of taking back the streets of the Internet and making them safe for you and I?

First a brief history

When malware writers started using the Internet eons (about 10 human years) ago to write their programs to infect computers they distributed them by getting accounts at 'free' web hosting sites or uploaded the malware as shareware, freeware or even demo ware to great sites like TUCOWS
(http://www.tucows.com/) with a great write up and let people download and infect themselves. This made it pretty easy to figure out where the infection was coming from and by working with the ISP or webmaster get the malware removed from the site. TUCOWS and other download sites also implemented a regular anti-virus scan of all files uploaded so that any malware would be stopped or found before it had a chance to be downloaded by some unsuspecting person unleashing it's payload of destruction. You can see why the malware writers have moved on to different distribution channel as it is easy to chop the head off the infection and stop it in its tracks.

The popular technique for the last while is 'Fast Flux' where an group of infected PC's act as a proxy layer between the web server hosting the malware and the PC's that are going to be infected. This proxy layer is called the 'Fluxnodes'. You will have seen this in the recent 'Storm Worm' spam runs where the e-mail to you consists of a brief subject line and a link to an IP address. When you click on the link in the e-mail your computer connects to the proxy software running on an already infected PC and it then goes out and get's the content, including the malware that will end up infecting your PC, from the real source. This makes it harder to track down the real source of the infection as you now have to try and contact the IT people of the computer in the middle (the proxy) and get them to check their log files to find out where the malware content is really coming from. They may be too busy to respond or they may not even have the logs required to track the source down and meanwhile the 'Storm Worm' or some variation continues to send out millions of e-mail messages getting more PC's infected and adding more pawns to that proxy layer insulating the bot herder from the security professionals that are trying to stop the infection. As hard as it is to coordinate with the IT departments of the infected proxy layer it does happen often enough that the real source of the malware files is found and is shut down. This does not make the bot herders happy as now they have to start building up their bot nets all over again or redirect their proxy pawns to a second source of infected files. This takes time and while this transition is going on the bot network is down and not doing the bidding of the herder thus the evolution of 'Fast Flux' to 'Hydra Flux'.

Hydra Flux is the same basic idea as Fast Flux but with the addition of many heads - like the Lernaean Hydra or many headed serpent in Greek mythology - and just like the ancient snake with many heads you can cut off one of the heads of the modern 'Hydra Flux' without killing the beast. The Proxy layer talks to many sources of infection, the mother ships of the Internet Storm Article, so that if one gets found out and stopped the proxy layer has a backup. This is a very resilient hosting structure and could be called a great example of 'cloud computing'.

So what can we do to stop the infections and take back the internet streets for us 'honest folk'? The first thing we need to do is ensure that we don't settle for setting up our corporate firewall's to the point that they work for both us and the malware writers. Too many firewall's are setup to stop the traffic coming from the Internet to the LAN but allow anything and everything from the LAN to flow to the Internet. If you have a corporate mail server then the mail server should be the only system that has SMTP access to the Internet and you can block all other connections from the LAN to any Internet host on port 25. If the firewall has Universal Plug and Play (UPnP) disable it if at all possible because of the security holes it introduces into your network. Enable the Intrusion Detection of your firewall if it has that capability and use it on the inside of your network.

If you don't have a firewall that can do IDS get one that can or add a transparent gateway device like the Barracuda Web Filter that looks for infected traffic originating on the inside of your network and can both block it and report to you that you have an infection problem so you can take care of it. The Barracuda Web Filter also has the log files that would allow you to track down the real source of the malware helping cut off one of the many heads of the Hydra Flux botnet. For those of us IT professionals that are called on by family and friends to fix their home computer problems don't allow them to connect to the Internet without a hardware firewall or allow their anti-virus protection to run out. Teach them how to both do and test a reliable backup and then get them to do monthly patches and software updates or do it for them though I believe it is better to education them to do it, why it is important, and check with them on a regular basis to see that they are doing the right thing than get them used to you 'just taking care of things' for them. Ok - you can just take care of Grandma's PC - but still tell her that it is important to play safe on the Internet.

With the evolution of the Fast Flux to the Hydra Flux bot net you can expect the onslaught of spam to continue but with these simple techniques we can make it harder for the bot herders to take over our PC's and not contribute to the problem.

- Shaun

---

More Info:

Hydra Flux

• http://isc.sans.org/diary.html?storyid=4753

Fast Flux

• http://en.wikipedia.org/wiki/Fast_flux

UPnP

• http://en.wikipedia.org/wiki/Universal_Plug_and_Play

The internet is a wonderful place - just perfect for picking up a PDF infection.

PDF Flaw Exposes All to Botnet Attempts

Adobe revealed that a flaw exists even in fully up-to-date versions of Adobe Reader 8.1.2 that 'could potentially allow an attacker to take control of the affected system' This is similar to other bugs that have been utilized recently by the "Bot Herders" to take over Millions of PC's to add to their herds to later be used to send spam to you and your friends.

---

Adobe's bulletin and service patch:

http://www.adobe.com/support/security/bulletins/apsb08-15.html

SANS Internet Storm Center (ISC) recommends that you update sooner rather than later.

http://isc.sans.org/diary.html?storyid=4616

---

While the SANS article mentions that the vulnerability will soon appear on a malware spreading website we at CudaMail expect the "Bot Herders" to start sending millions of messages with links to these malware sites and to use 'social engineering' to get you to interested enough to click on this unsolicited link.

So what can you do to protect yourself?

Update all your programs on a regular basis. Make sure you have a tested backup of all your important information for when - not if - you get infected and have to format and re-install your operating system (the only way to be 100% sure that you don't have a nasty infection) and don't click on links you are unsure about the origins of.

What else can we do as an anti-spam service to protect you?

While we do watch for outbreaks like this closely and will be blocking any messages that have links to known infected sites we always have to be careful to not step over the line and start blocking legitimate links. We could easily write a rule that blocks any PDF file or even any link to any PDF file but this format is used by billions of people to send all sorts of legitimate information every day and so we can't do that except in the case of a major outbreak and then for only a very short while.

So here is a question to you, our dear readers:

Would you prefer to have 100% protection from a new malware outbreak like we expect even if some legitimate messages may be blocked or would you like all your legitimate e-mail's to come through even if a few malware links also come through?

At CudaMail we have a third option - the per-user quarantine - where we can send every messages with a PDF attachment or a link to a PDF into your personal quarantine area. This would require that you take the effort to check this quarantine area and deliberately release the wanted PDF's. Is that a viable option for you?

We want to hear from you!

- Shaun

Disaster Planning - Exchange and ISP Wworking Together For Business Continuity

With email being such a significant part of most business peoples day having a backup plan in place should something happen to your mail server is time well spent.

A customer named Harold I was recently working with on his CudaMail filtering setup was explaining to me a very interesting way to do a form of Disaster Planning for Exchange Server, specifically the version included in Small Business Server (SBS).

While this method doesn't help Exchange be more robust it does keep the company working should there be a problem with the Exchange server and gives Harold time to work on his server without significant e-mail down time.

What he does is have his e-mail hosted at an ISP and uses the POP3 connector in Exchange to pull off the e-mail on a regular basis. Now this is not new as the POP3 connector has been available since SBS 2003 as far as I know but his setup is unique.

While most people would use the POP3 connector as a temporary solution when migrating to the Exchange SMTP service, Harold is leaving it in place and looking for a replacement with additional features.

(any experience with good and or free replacements?)

Should his Exchange server go "belly up" then the ISP’s mail servers would continue to accept and deliver e-mail to the mailboxes they have on their mail server.

This is where Harold’s advanced planning comes into play. He has made sure that the users know that they can use the webmail feature from the ISP to check on and reply to messages while the Exchange server is off-line. This keeps the Company alive and working and gives Harold time to do his repairs or restore from backup.

There are some pro’s and con’s to this setup that I think need to be addressed.

1. Delay in getting e-mail. Because the POP3 Connector does a scheduled check of the ISP mailbox there will be a delay of up to 15 minutes in getting e-mail. The response goes out from Exchange immediately but in this age of "instant everything" people want e-mail to be instant too. The average delay is going to be 7 ½ minutes so this is not a big issue unless there is a deadline your trying to meet.
   
   
2. History. As far as I know the POP3 connector does not have the setting to leave x number of day’s worth of messages in the mailbox so the end users will have to use both the local copy of e-mail on their desktop and also remember to BCC themselves on any sent e-mail so they can maintain an accurate history of what is said via e-mail.
   
   
3. Encryption. The POP3 connector in Exchange cannot encrypt the messages being pulled down via POP3. This is why Harold is looking for a better POP3 connector. Does anyone have any experience, good or bad, with the third party POP3 connectors?
   
   
4. Passwords. The users need to keep track of the passwords used for e-mail at the ISP. How good are your users at remembering passwords?
   
   
5. Training and reminders. The old adage ‘use it or lose it’ comes to mind. Will the users remember how to use the Webmail in a time of crisis? With e-mail down how will you be able to remind them they have this option?
   
   
6. What happens to his e-mail if the ISP has a problem? How can he modify his setup to get the best of both worlds?
   

Can you think of any other issues or gotcha’s with this setup? Would an IMAP connector be a better option? Is there such a beast for Exchange?

- Shaun

Where Does All the Spam Come From?

Source: Technology Review

The above is a wonderful chart shows that China, Brazil and Turkey lead in generating the most unwanted messages. The graph generated by data from Team Cymru is a lot easier to read than their default Hilbert Curve graph.




Source: Team Cymru

But they also have some nice graphs as well.

www.team-cymru.org/Monitoring/Graphs/

(Warning – the above graphs are Flash based.)

How can we use this information?

Well, if you are based in one country and only expect to get e-mail from only a handful of other countries then you can use a region to IP address list to block all e-mail from the countries you don’t plan on getting any e-mail from. You should, however, have an alternate method of contact like a web form so that people from these blocked regions can still reach you.

One great region based IP list can be found at http://countries.nerd.dk/ in a format suitable to use as a real time black list (RBL) via most mail server software.

- Shaun

This Week In The Spam Filtering World ...

Here's what's went on this week in the blogosphere in the anti spam world:

Backscatter

Use a service or server based anti spam system. Such systems employ measures that block spam and are hardened to large quantities of spam and will provide some protection from backscatter in and of themselves, however the spam ...

How much longer will anti-spam captchas be useful?

Luis von Ahn, an inventor of the anti-spam tool known as "captchas," talks with Jon Gordon about how much longer the squiggly line challenge-response tools will be useful.

TypePad launches new anti-spam tool for bloggers

TypePad AntiSpam is the product of the antispam technology Six Apart has been using in their TypePad hosted blogs since May 2007. Now the service, which is in beta, is available to anyone, open source, and free -- regardless of how ...

MySpace wins $230 million anti-spam judgment

Just saw this over at namepros, although I don't use myspace but I like to think that spammers (not only the ones spamming myspace) will think twice before doing spamming again Excite News - MySpace wins $230 million anti-spam judgment.

Social Networking Sites Also Popular With Spammers

Popular networking sites have become one of the latest targets in recent spam attacks. Cloudmark, an anti-spam enterprise, revealed that social networking sites have seen a huge rise in spam in the 6 months to March 2008. ...

Enjoy!

- Shaun

Start of the Memorial Day Spam Storm Coming

With the down turn in the US economy more people are turning to the web for the best deal so expect vendors to be even more aggressive in their approach to getting eyeballs on ads and this includes sending more e-mail marketing as this is the least cost advertising venue.

The spammers have been using e-mail for years now because it works and the big marketers have joined in as a scan of some of the recent subject lines processed by CudaMail shows.

Some of these are spam and some are just marketing messages:

---

Alarm systems.
"5 Horrible Home-Invasion Statistics."
"Secure your home today"

Pharma
"Live Life to the fullest"
"May 21st - Ready to Process Reorder"
"Cleanse your digestive system and feel great."
"Side effects include: Increased libido, decreased cellulite, and ..."

Office Supplies
"Discount printer ink and toner plus extra 10% coupon"

Social Networking
"Someone is looking for you. Find out who."

Septic Tank Insurance
"Has your Septic Tank ever backed up on you?"

Hardware and Tools
'True Value: Weekly Merchandising Newsletter - 5.20.08"

Vacations
"World Series of Poker* Invitation in Vegas for You"

Men's Clothing
"20% Off + $4.95 Flat Rate Shipping"

Women's Clothing and Swimwear
"Memorial day event - 50 items at 50% off!"

Satellite TV
"Over 40 Digital Quality channels for $19.99/mo. Get more with DISH Network"

Wedding Decorations
"Wedding Accessories on Sale"

Business Cards
"MAY MADNESS LAST DAY!!!!!"

Big Fans
"Industrial Cooling...$99"

So a warning to everyone that from our Operations Center here at CudaMail we see the volume of e-mail marketing, both legitimate and unwanted spam, is being turned up to 11 as we get closer to the long weekend in the U.S.

- Shaun

Natural Disasters and Phishing Scams

Fires and floods and earthquakes, oh my...

Great reminder from US Cert on protecting yourself from the opportunists that prey on the feelings and emotions of all when a natural disaster strikes. At times when your heart strings are being pulled on it is almost as if the brain get's switched off and this provides an opening for the scammers to strike and they will.

If you want to help out in a situation like this then go through the official channels and not allow yourself to be solicited via a message delivered in an e-mail even if it comes from one of your trusted friends or family.

- Shaun

> From the US Cert (Computer Emergency Readiness Team) Natural Disasters and Phishing Scams

Original release date: May 19, 2008 at 4:30 pm
Last revised: May 19, 2008 at 4:30 pm

In the past, US-CERT has received reports of an increased number of phishing scams that take advantage of natural disasters. Due to recent natural disasters, US-CERT would like to remind users to remain cautious when receiving unsolicited email that could be a potential phishing scam.

Phishing scams may appear as requests for donations from a charitable organizations asking users to click on a link that will take them to a fraudulent website that appears to be a legitimate charity. The users are then asked to provide personal information that can further expose them to future compromises.

Users are encouraged to take the following measures to protect themselves from this type of phishing scam:

• Do not follow unsolicited web links received in email messages.
  

• Review the Federal Trade Commission's Charity Checklist.
  

• Verify the legitimacy of the email by contacting the organization directly through a trusted contact number. Trusted contact information can be found on the Better Business Bureau National Charity Report Index.
  

For additional information regarding phishing, US-CERT recommends reading the following documents:

• Recognizing and Avoiding Email Scams (PDF)
  

• Avoiding Social Engineering and Phishing Attacks
  

Relevant Url(s):

http://www.us-cert.gov/cas/tips/ST04-014.html

http://www.us-cert.gov/reading_room/emailscams_0905.pdf

http://www.ftc.gov/bcp/edu/pubs/consumer/telemarketing/tel01.shtm

http://charityreports.bbb.org/public/All.aspx?bureauID=9999

====

This entry is available at:

http://www.us-cert.gov/current/index.html#natural_disasters_and_phishing_scams

Eight Surefire Ways to Become an Identity Theft Victim

A funny but O so true write-up from SANS (www.sans.org) on what NOT to do online.

1. Practice Unsafe Surfing. When you purchase a new computer, go online without activating the firewall, or purchasing protective software.

Further expose yourself digitally by sharing a wireless connection with the entire neighborhood. Without digital encryption, you can share the contents of your hard drive with anyone on the street. For maximum risk, do some online banking on a public computer -- like the one at the library or a public cafe. Bonus points are added if your Social Security number is your user ID for any transactions.

What you should really do:

• Use a hardware firewall at work and at home along with good AV software that is kept up to date.
  
• While the desire to go 'Wireless' is high and the products make is so easy take the time to set it up properly or call in an expert to set it up for you.
  
• Never do more than just check news stories on some basic searching when on an unknown and thus un-trusted computer be it at the library or even over at your friends house.

2. Skimp on anti-virus and anti-spyware protection. Courting disaster online is easy. Invite malicious code to attack your computer simply by doing nothing. Antivirus programs can be pricey, and the maintenance of constantly downloading updates is time-consuming. Combine that with the security updates from Microsoft or Apple and it's enough to seriously annoy anyone.

What you should really do:

Install a good Anti-Virus solution, most like F-Secure, come in a full protection suite and could be included free with your internet connection (Shaw includes F-Secure for example) Turn on automatic updates in Windows and if your programs can be set to do the same do so. Once a month manually check to ensure your programs are up to date with something like the online F-Secure Health Check or the Secunia Software Inspector. It wouldn't hurt to visit both Windows Update and Office Update while your at it.

3. Passwords are a pain! Make life easy for yourself by using the same password for EVERYTHING, and make it something easy to remember, like your first name or 'password'. Just in case, make sure you write it down on a yellow sticky and put it somewhere easy to see.

And don't forget to have your browser set to 'remember password' to make life easy for you - and the cyber thief.

What you should really do:

• Use the idea of a password phrase to remember hard to guess passwords. A favorite phrase or poem can become the backbone of a secure password policy.
  
• For Example the phrase 'The quick brown fox jumped over the lazy dog' can be used to easily remember a password of 'tqbfjotld'.
  
• Make your password harder to guess by throwing in Capitalization, numbers and special characters.
  
  
  
  • If you want to keep things simple then come up with at least three or four secure passwords.
    
  • The first would be used only for online banking. The second would be used for your e-mail. The third would be used anywhere you have to register to use a site. The fourth could be used for questionable sites that require you to register.

4. Peek at junk email and open attachments from unknown sources. Open attachments from strangers, secret crushes, long-lost friends saying "what's up," or strangers hawking cheap drugs -- you'll never know unless you peek at that email. One of the many fun things that can happen when you open an attachment containing malicious code is infecting your computer with a Trojan horse or virus, which can easily lead to identity theft.

What you should really do:

Use a service like CudaMail to filter out all these unwanted messages. They are either marketing messages or worse, spammers trying to add your computer to their botnet. Stay away from these messages no matter how 'interesting' the spammers make them.

5. Stuff your wallet with juicy identifying tidbits. Wallets and purses are more than just handy cash-carrying devices. They often have credit cards, identification, insurance information and even Social Security cards. Obviously, more is better if you'd like to become the prey of fraudsters.

Losing or misplacing a wallet or purse can cause more problems than just the hassle of replacing all those cards and buying a new bag. Armed with your date of birth, Social Security number and mailing address, there's no limit to the damage thieves could cause.

What you should really do:

• Keep only what you need in your wallet or purse.
  
• The rest of the information should be in a safety deposit box where you can get it if you need it but the rest of the time it is locked away.
  
• Check on the personal information the credit bureaus have on you to make sure it is accurate and that someone hasn't signed up for a credit card or something else in your name but using a different address.
  

6. Make your checks payable to criminals. If you're like most people, you wouldn't post your checking account information on your front door, though you should if you'd like to be a victim of fraud. Similarly, checks reflecting the same information can be dropped casually into unsecured mailboxes. Statistically the chances of your mailbox being targeted by criminal elements are low, but not that low. According to the 2008 Identity Fraud Survey Report from Javelin Strategy and Research, almost 1 in 10 victims of identity theft who can pinpoint the scene of the crime say that it happened at the mailbox.

7. Opt out? Opt in! While you're mailing checks from the unlocked mailbox, go ahead and get credit card companies to send you all the pre-approved offers that the postman can cram into the box. Similarly, don't get credit card statements online; leave them on the side of the road so that they're more convenient for fraudsters who lack the technical knowledge or follow-through to launch complicated hacking schemes.

What you should really do:

Don't use the mailbox by your front door as an outbox just because it is convenient. Take your bills to the bank to pay or drop them off at a real post office. Anything you do get that has your identifying information on it like a pre-filled out credit application should go through a good cross cut paper shredder before leaving your place.

8. Nothing is too good to be true. Everyone wants to feel special and maybe more importantly, filthy rich. When reading an emailed proposition from an African business tycoon, an imperiled prince or downtrodden heiress offering millions of dollars in exchange for some small measure of assistance, it's difficult not to wish it were true. Falling for the story will undoubtedly lead to unpleasantness.

What you should really do:

Don't let your greed get the better of you. While the 'I have umpteen million dollars that I'm trying to sneak out of the country' e-mail's are getting old hat people are still falling for them. What is more insidious is the 'work at home as an agent' e-mail's that make it sound so easy. All you have to do is deposit a check or two each week into your personal bank account and wire transfer the funds to 'the company'. You either end up out the entire amount when the check is returned NSF or you are working for organized crime and are a money launderer.

The internet is a wonder and scary place at the same time. Be educated and play safe.

- Shaun

Mark Hofman Reports a Surge in His Spam - Are You So Lucky?A

Mark - as the handler on duty at the Internet Storm Center - was nice enough to not only read all his spam for the week (about 2500 messages) but he also put together a nice chart showing what type of spam he was getting and from where:

Description	Email Origin
Greeting card	Germany		URL Link to exe.  28/33 AV products detected the file, three days ago it was 4.
Viagra/Cailis Mesages	Texas Latvia Paris Russia Chilli	Mount Laurel (US) US Italy Israel	Links to Canadian Pharmacy web site.
Viagra/Cailis Meds	France		Web Site Canadian Healthcare
Movie downloads (in Chinese)	Argentina		Nothing no links and nothing nasty, maybe a trial run.
Herbal remedies	USA Germany Sweden	Oman Lithuania Brazil	Products to enlarge body parts. The message contained a URL to one of three sites hosted in the same address range. The registrar owns 695 other domains, received 50 of them.
Lottery*	UK Canada Greece		So far this week I have won  about $500,000,000, not bad for not entering any lotteries.   The majority were sent from UK machines, machines at one particular facility.
Click Fraud	Spain Bolivia Poland		The links in the message are ad click redirects.
Paypal	US France		The usual phishing exercise aimed at extracting account information.
I am Lonely Tonight	Turkey		The usual I’m lonely tonight emails.  If you respond it goes into how she wants to travel and can’t you help her out.
Fake Goods	Bombay Russia Bahrain Greece Italy	Turkey Slovak Republic Thailand	Fake goods, watches, bags, etc.
Business Proposal (419 messages)	US Germany Los Angeles United Arab	Emirates The Netherlands Japan	Transfer money and get a percentage.
Work offers	Belgium		Work for a few hours per week and make thousands,  most of these linked to professional looking sites.   Typically they are recruiting for mules.
Threats	Turkey	Russia	There have been a few variants of these doing the rounds.

> Source: http://isc.sans.org/diary.html?storyid=4343

This is a lot of work that Mark has gone through but it does highlight the value of good metrics or ways of gauging how effective an anti-spam system is.

Here at the CudaMail support desk we occasionally get a client who at first is very upset that they got 5 spam messages in their inbox this morning and can't we do something about it? They are usually very thankful when we provide them with a report similar to the one below for their domain showing that tens of thousands of messages have already been blocked for them and these 5 messages are the start of a new campaign that they were lucky enough to get the first few messages from and now that they have provided us with some samples to work with we can stop this campaign in it's tracks too.

Sample CudaMail Spam Quarantine Summary

> Click CudaMail_Summary_for_Domain.pdf (12.76 KB) for to download the PDF sample

This also highlights the different perceptions we have as anti-spam specialists and the typical end-user or client. From our perspective we are fighting the good fight and our efforts are winning the war on spam. We block millions of messages a day and allow only a few 10's of thousands to be delivered to the client. Typical statistics are that on average 97 out of every 100 messages are spam and this is with a very low false positive rate (false positive = marking a wanted message as spam).

What is The Customer's Perspective On The Same Volume of Messages?

They are going about their important work without being bothered by those 97 out of 100 messages that are spam so when a few messages slip through to them all of a sudden they are being "flooded" with spam. Same numbers but a very different perspective on the issue.

What Can You - the CudaMail End-User - Do to Help Out?

1. Keep us in the loop. "One person's spam is another person's ham" as the saying goes so we don't know what you did or did not sign up for online. We maintain a number of spam traps and are always looking for new spam messages but may not be first in line when a spammer fires up his money making spam bot and sends out the latest surge. So if you are the lucky one to be fist on the spammers list and get a spam sample there are two very good ways to provide this feedback to CudaMail support.

2. Install and use the Outlook plug-in. For those of you who use Microsoft Office with the full Outlook e-mail client the Plug-in is the easiest way to send spam samples back to CudaMail support and we have blogged about this before. There are plug-ins available now for other e-mail clients (Thunderbird 2.x and Lotus Notes 6.5, 7 and 8) but these are under going beta testing right now.

You can read me Blog post about it by going here:


3. Debug-ID. For those who don't run Outlook or don't want to run a beta plug-in you can simply forward just the Debug-ID of the unwanted messages to the support@CudaMail.com address.

A quick 'How to display full headers in client x' can be found at the following URL:

• http://oit.nd.edu/email/fullheaders.shtml

While support only needs the one line with the X-ASG-Debug-ID: number on it go ahead and forward all the information in the full headers on to us. What you do not want to do is forward the spam message body along with the full headers. What happens more often than not is that the CudaMail system will take your spam sample re-processes it and block it before it gets to support. We don't know that you were trying to send us this sample and can't do any thing about it because we didn't get it in the first place. Now typically we don't respond to every message providing a spam sample but we do review each and every one of them and make sure that he system will block them in the future.

With the above two thoughts in mind - perspective and feedback - what do you - the CudaMail client - want to see from the CudaMail system? Do you want to be sent reports on a regular basis (Daily, Weekly or Monthly) or will this just add to your information overload?

We look forward to hearing from your either in the comments below or direct to support@CudaMail.com.

- Shaun

Spammers Take Advantage of the Tax Season

Spammers are continuing to use the oldest trick in the book - social engineering - to try to get you to be part of their plan. The US CERT (Computer Emergency Readiness Team) has released a number of advisories over the last few weeks on recent Spammer tricks of impersonating someone trusted like the tax department or a trusted news source to get you to click on a one of their web links.

Here are some recent samples:

IRS Rebate Phishing Scam

• www.us-cert.gov/current/archive/2008/04/25/archive.html#irs_rebate_phishing_scam
• www.us-cert.gov/current/archive/2008/03/31/archive.html#internal_revenue_service_tax_scams
  

Federal Subpoena Spear-Phishing Attack

• www.us-cert.gov/current/archive/2008/04/25/archive.html#federal_subpoena_email_scam

Radiation Leak - from a trusted news source

• www.us-cert.gov/current/archive/2008/04/11/archive.html#email_attack_circulating

The text included with the links the Spammers send may make your pulse race (I can get my Tax rebate now!) and thus they try to get the emotional part of you to take control of your mouse before the logical part of your brain (This sounds fishy - better be safe and delete this message or call them direct to confirm) kicks in.

Guess what? - By clicking on the link you played right into the Spammer's plan and you either filled in a form (Phishing) and gave them information they can use to steal your identity or money or your computer got infected and is now playing it's part in sending out Spam.

How do you keep yourself safe while on the Internet?

Install and use a good anti-virus / anti-malware product and keep it up to date.

Take the time - once in a month at least - to do a full update for security patches and then do a full anti-virus / anti-malware scan of your computer.

Use some reputable online scans to double check on your Anti-Virus.

F-Secure Health Check Online scanner

• www.f-secure.com/healthcheck/

Panda Active Scan

• www.pandasecurity.com/canada-eng/homeusers/solutions/activescan/default.htm?track=80383

Kaspersky

• http://usa.kaspersky.com/products_services/free-virus-scanner.php

Secunia's Online Scanner (checks to confirm your software is up-to-date)

• http://secunia.com/software_inspector/

(Warning - These companies use these online services to try and sell you on their products - you may have to provide an e-mail address to start one or more of these services so you may get marketing related messages after using these services)

At work you will want to use a higher-end firewall (such as a firewall from Fortinet or Secure Computing) or a dedicated web filter appliance (from Barracuda Networks) with a second layer of anti-virus / anti-malware / web content filtering between your computers and the Internet.

Spammers are the problem but we have to do our best to be part of the solution!

- Shaun

Are Anti-SPAM Solutions Failing or Are There Simply More Barbarians at the Gate?

New figures suggest that 92.3 percent of all email sent globally during the first three months of 2008 was Spam¹ and a second report indicates that the top botnets, if they worked together, are capable of sending over 100 billion Spam emails per day².

The data from Sophos also indicated that 23,300 new Spam-related web pages were created every day during the period, or one about every three seconds.

Each and every one of these 2.1 Million URL's has to be discovered and added to the 'Intent' or URL database to be able to block them all, and you wonder why a few slip through the cracks?

Building a botnet first and then building 2.1 million web pages is a lot of effort to go through to send Spam touting the 'generic blue pill' or the latest 'real genuine copy' of the latest trendy fashion item be it a 'Designer Shoes Collection from Gucci Ugg Prada Chanel Dsquared' or other.

So Why Do Spammers Go To So Much Effort?

A recent National Geographic special called Illicit: The Dark Trade revealed the impact that all of these "knock-off" drugs, clothing, and accessories is having on the world (definitely worth watching). I didn't realize that the trade in counterfeit goods is a 600 Billion Dollar (USD) a year - yes that's a B, Billion - industry³ and a lot of it is done by international crime rings.

If they get caught for a counterfeit purse or shoe the sentence they get is a lot lighter than if they were trying to sell illegal drugs but it is the same people that do both and for the same reasons - to take advantage of you and your desire for a deal. The special also showed that counterfeit goods are more than just the 'real fake watches' as everything from toothpaste, mouthwash, generic drugs, automotive and airplane parts are being counterfeited as well. You think that 'blue pill' you bought online for such a deal was the real thing? Think again - it probably contained Borax bleach, chalk and paint - if you're lucky!

It has often been said that if people just stopped buying from the Spammers then there would be no financial incentive for them to send their Spam emails.

Let's try this statement on for size - if you purchase something promoted by a Spam message that sounds too good to be true - it is likely a counterfeit item and you are directly contributing to organized crime and terrorism.

Now go out there and play safe.

- Shaun

¹ www.itnews.com.au/News/74071,new-spam-site-found-every-three-seconds.aspx

² www.secureworks.com/research/threats/topbotnets/?threat=topbotnets

³ www.iacc.org/counterfeiting/counterfeiting.php

The Register - "Security Gumshoes Locate Source of Mystery Web Compromise"

According to John Leyden (from "The Register") in his article "Security gumshoes locate source of mystery web compromise", the source of the mystery injection of more than 10,000 websites back in January has been uncovered!

He says:

"Thousands of legitimate websites were compromised at the start of the year to serve up malware, as we reported at the time.

It seemed that the exploitation of SQL Injection vulnerabilities was involved in the automated attacks. The precise mechanism was unclear until earlier this week when security researchers discovered a malicious executable later linked to the attack on a hacker site.

The hacker utility used search engines to find insecure websites that it then tried to exploit using an SQL injection attack. The exploit included an SQL statement that tried to inject a script tag into every HTML page on the website.

The tool - which had an interface written in Chinese - was programmed by default to insert a tag to the same malicious JavaScript file that featured in the January attack, solid evidence that it was at least partially behind the assault.

The tool runs a script called pay.asp, hosted on a server in China. This suggests that hackers running the attack were keeping count of the number of sites they had compromised, in order to work out how much they stand to get paid.

Further analysis of the tool by security researchers at the SANS Institute's Internet Storm Centre (ISC) is ongoing. The tool came to their attention via a tip-off from Dr Neal Krawetz. The initial attack was uncovered by security researcher Mary Landesman, of ScanSafe, who
described it as the time as a new type of compromise.

The constant, changing flux of the malicious JavaScript served up by compromised sites made initial analysis difficult. With the benefit of the hacker tool used to pull off the attack this all becomes much clearer, much like it was easier for scientists to unravel a cure for

the mystery pandemic that blighted mankind in the Twelve Monkies after they obtained a sample of the pure source.

"The nice thing about this is that we finally managed to confirm that it is SQL Injection that was used in those attacks. The tool has more functionality that we still have to analyze but this is the main purpose," writes ISC handler Bojan Zdrnja.

Website owners ought to use the discovery as a wake up call on the need to ensure that their web applications are secure, he added."

If you're worried about SQL injection and other attacks on your website then you should take a look at Barracuda Network's newest solution called the Website Firewall. For more information or to arrange for an eval unit please visit: www.BarracudaNetworks.ca/Searchresult.aspx?CategoryID=74.

My Predictions on McAfee's Global 'Spammed Persistently All Month' or S.P.A.M. Experiment

Don't get enough spam already and think you should get more? Then you will probably feel jealous of the 50 participants of McAfee's global Spammed Persistently All Month (S.P.A.M.) of April. These 50 regular Joe's ranging from 17 year old high school students (Hello Zach) to a mother of three (Zach's Mom Tracy) and a university student (Katya) among others in all areas of the globe are the guinea pigs in this experiment to run throughout April 2008.

Basically these participants have been given a dedicated laptop, a pre-paid credit card and a mission. Their mission is to do everything wrong and see what the results are. They are going to respond to Spam messages - buy the 'Genuine Replica Watches' on-line and sign up for everything they can and see what happens. William reported on Day 2 that without any protective software running he received 160 Spam messages and is getting pop-ups and browser hijacks 'on a regular basis'. The Blogs are a very interesting read.

Here Are My Predictions:

1. The laptops that these people are using will become a "willing soldier" in one of the Spam Bot armies lurking out there and may end up sending themselves (and us) more Spam. How is that for irony?

- Collectively the top botnets are capable of sending over 100 billion Spam messages per day*

2. Malware - The laptops will have to be wiped and re-installed for everyone at least once during the month. They are going to do this anyway for the participants at the end of the experiment before they get to keep them so this will be good practice. I'm not sure I would trust these laptops even after they are wiped though with the rootkits that are now being incorporated into the Bot software. Reports are coming in already that the laptops are slowing down and becoming unresponsive.

3. Massive consuption of time - the management of this Spam will take more and more time until these participants will not be able to do anything but read and reply to e-mail all day long.

4. Cyber Crime - all the participants have been given 'new identities' just like someone in the witness protection program to use online. I predict that some of these identities will be sold on the black market and thus stolen.

McAfee is of course going to use this experiment to advertise that there is a lot of Spam out there and that you need protection but I could have told you that - just look at the CudaMail statistics page. ;)

- Shaun

* Source: www.secureworks.com/research/threats/topbotnets/?threat=topbotnets

For More Information:

www.mcafeespamexperiment.com
www.echannelline.com/canada/printer.cfm?item=DLY040708-2

You Have Invested In A Spam Filter But Continue Getting Spam - What Is Wrong With This Picture?

Let's talk about what you can to do help make your e-mail both more reliable and keep Spam out of your client's mailboxes.

First, most people have this idea that e-mail is both near instant and 100% reliable - unfortunately, both of these ideas are 100% wrong!

The SMTP protocol was designed when Internet links were both unreliable and slow, therefore the protocol was built to be resilient and to retry failed messages. However, the link speeds have now increased and have become more reliable, therefore people have gotten used to their e-mail arriving really quickly and so they have come to the unreasonable expectation that e-mail is near instant and 100% reliable.

Let's look at a couple of scenarios that will show that this is not the case as well as address some ways to increase your control over your e-mail server's level of reliability.

Case 1 - Single Mail Exchanger

A lot of e-mail domains right now have only 1 Mail eXchanger (or MX record) typically pointing to a single mail server at the head office.

So what happens if your internet connection goes down or there is some "hiccup" with the mail server or your firewall (you do have a hardware firewall don't you?). Anyone who tries to e-mail you will not be able to and the sender may get an undeliverable messages (or not) from their mail server after some period of time.

The Sending mail server should be configured to retry this message to you a number of times at some interval both of which are set solely by the administrator of the sending mail server. In other words, you have no control over how often they will try again or for how long and it will be different for each and every mail server that is trying to send to you. Talk about a troubleshooting nightmare!

Case 2 - Backup Mail Exchanger

When you publish an MX record via DNS one of the properties of the record is a preference. Here is an example (fictitious) domain and the tools you would use to see what your MX record points to:

nslookup -type=mx somedomain.com
Non-authoritative answer:
somedomain.com MX preference = 10, mail exchanger =
mail.somedomain.com
somedomain.com MX preference = 99, mail exchanger =
smtp.SomedomainISP.com

What the above record is saying is that when sending e-mail to 'yourbuddy@somedomain.com' to first try sending it to the mail server named 'mail.somedomain.com' and if that fails to try and send the e-mail through the mail server named 'smtp.SomedomainISP.com'. Your ISP may even include this service for free if you ask them, however these 'store and forward' backup mail servers typically just accept and forward messages WITHOUT anti-spam processing and since they are from a trusted source (your ISP) most mail servers are configured to accept without further processing.

Guess what? The Spammers are aware of this little fact and will, in violation of the standard, try to send e-mail to your domain through your backup or secondary MX record. This is how a lot of Spam sneaks in today - it takes the back door and doesn't get challenged by the security guard at the front door - your primary anti-spam solution.

So what is the solution to this problem?

Case 3 - Spam filtered MX Backup service.

Make sure your backup or secondary MX record points to a system or systems that are as hard on Spam as the protection on or in front of your mail server. This is the reasoning behind our CudaMail MX Backup Service.

We (Optrics Engineering) have been Barracuda Diamond Partners for a number of years and have seen the above problems (Case 1 and Case 2) a number of times with the clients we deal with and are offering not just an MX backup service but a Spam Filtered MX Backup Service. We have a redundant cluster of Barracuda Spam Firewalls that we use to provide primary anti-spam protection for smaller organizations but can use these same servers to accept, scan for Spam and deliver to your mail server in the event that your anti-spam solution goes off-line or your Internet connection or firewall has an issue.

This cluster is configured to retry delivery to your mail server every 15 minutes for up to 48 hours. Those pesky Spammers who try to sneak in through the back door are going to be very surprised when they run into the CudaMail service on your secondary MX records and you now know how often and how long you have before people get an 'undeliverable' response back.

While e-mail is not 100% guaranteed the above service puts you in control and slams the door in the face of the Spammers.

Now go have a nice (Spam-free) day!

- Shaun

Happy April Fool's Day - Don't Be An E-mail Fool!

April Fool's Day is upon us - don't be an e-mail fool - as the Spammers will be trying to take advantage of our love of a good laugh.
 
As always be very careful when you get an e-mail that you don't expect. Just last week my own wife sent me a video via e-mail and the first thing I did was call her and ask if she had sent it to me. It turns out she had but it could easily be an e-mail containing Spam/malware like the latest storm being reported on by the Internet Storm Center.

Storming into April on Fools Day

http://isc.sans.org/diary.html?storyid=4222

Here are some subject lines to watch out for (there may be more variations):

• All Fools' Day
• Doh! All's Fool
• Doh! April's Fool.
• Gotcha!
• Gotcha! All Fool!
• Gotcha! April Fool!
• Happy All Fool's Day.
• Happy All Fools Day!
• Happy All Fools!
• Happy April Fool's Day.
• Happy April Fools Day!
• Happy Fools Day!
• I am a Fool for your Love
• Join the Laugh-A-Lot!
• Just You
• One who is sportively imposed upon by others on the first day of April Surprise!
• Surprise! The joke's on you.
• Today You Can Officially Act Foolish
• Today's Joke!

The e-mails either contain or have links to a nasty malware payload.

The download is a binary, also with varying names:

foolsday.exe
funny.exe
kickme.exe

In your e-mail it will look something like this:

April Fool's Day http://276.233.234.297 <= This is an invalid link intended to be harmless

CudaMail blocks .EXE attachments by default so anyone using our CudaMail managed anti-spam service is not going to be getting any of the malware payloads but some of the links may slip through.

We are blocking new variants as quickly as they are discovered but the best defense is to be educated to not click on unsolicited links.

Consider yourself educated. :)

- Shaun

Why You Want to Pay for Your Reputation Database

As some of you may know,  ORDB.org (aka the Open Relay Data Base) was one of the original real time or IP based black lists. The idea was that as your mail server or anti-spam service (like CudaMail) was getting a connection from a sending mail server you could ask ORDB.org if the senders IP address was known to ORDB and if it was you had a pretty good idea that you didn't want to accept this e-mail as it was most likely spam being routed through an open relay mail server.
 
Well after running as a free service for years the ORDB.org service was shut down on December 18, 2006 and instead of replying it would just time out.  Not a big deal and since your mail server didn't get a reply either way you went on to other tests. They announced that they were going off-line and at some time in the future they would be replying with a positive result to any new queries. This has happened many times over the years with various free anti-spam databases for a variety of reasons. Most administrators didn't notice the ORDB.org announcement or put the removal of this test on their 'to do' list and promptly forgot about it until now.
 
So on March 25, 2008, after giving fair warning, the DNS servers for ORDB.org started to answer every query with a positive result. All mail servers still using a SPAM filtering solution that references ORDB (relays.ordb.org) started to immediately block all incoming e-mails regardless of their real status as spam sources. You can't blame the admin of ORDB.org as they were doing this service for free and had been paying for the bandwidth used up by all these timed out queries for the last 2 years.
 
While the CudaMail system does still use some of the no charge databases out there to block spam it does not use ORDB.org. Barracuda Central has also been actively working on their own internal reputation system. The Barracuda Reputation system is very mature at this point with the end result is that this database is flagging new spam sources before the no charge databases like ORDB.org used to do. The real benefit of Barracuda Central maintaining this database is that there are dedicated people paid to maintain it as part of their business plan and the problems experienced by people who rely on the free databases will not happen to CudaMail.

Now go have a nice spam free day!

- Shaun Sturby

What is 'False Spam?'

False Spam are messages that are blank or contain garbled text with no links or real message.

Yes, they are unwanted messages but there is no real 'body' to the Spam - just some garbled words. The message that the Spammer wanted to send was not included and thus these messages are ineffective as Spam.

Why would the Spammers want to send 'False Spam'?

Just speculating here but it could be anything from someone doing a 'test spam run' that got away on them and sent nonsensical random text without the advertisement. If that is the case then 'Silly Spammer - you wasted your money on this one!'

It could also possibly be an effort to see what did get through by utilizing the 'Out of Office' or 'Delivery Receipts' to capture valid e-mail addresses. If the Spammer gets any response back except 'undeliverable' then they know that there is a valid e-mail address on the other side. It is a good idea to not send these 'Out of Office' messages outside your organization if at all possible. It is also a good idea to disable the 'Delivery or Read receipts' in both your e-mail client and your mail server as some people rely on them.

A third possibility is that Spammers may be trying to poison the Bayesian or statistical database by sending out these random words and phrases. A poisoned database will make it that much harder to pick the Spam out of the noise and could result in more false positives.

Rest assured that CudaMail is working hard to clean up these 'False Spam' messages as quickly as we can.

- Shaun

Will Robert Soloway's Guilty Plea Mean Less Spam?

Notorious 'spam king' Robert Soloway has pleaded guilty to additional charges (fraud and tax evasion) related to his previous conviction for sending out huge volumes of Spam.
 
US Department of Justice indictment against Soloway:

> www.usdoj.gov/usao/waw/press/2007/may/soloway.html

Seattle times article on Soloway's guilty plea on the new charges:

> http://seattletimes.nwsource.com/html/localnews/2004283998_spamking15m.html 

The question to the reader therefore is 'Do you think that this sentence will result in less spam to your inbox?'
 
Sadly the answer is probably 'no' as the trend in Spam is still increasing and human nature, on both sides of the equation, being what it is won't change.
 
There are a number of sites you can go to if you want to look at Spam trends and one such site is Barracuda Central:

www.barracudacentral.com/index.cgi?p=spam
 
You can go there if you want to look at the pretty graphs but the number that jumps out at me is that worldwide the number of messages processed by all Barracuda Anti-Spam Firewalls yesterday was over 2 Billion. 2,277,470,908 to be exact and of that number the vast majority or 2,170,841,992 (95.32%) were blocked as Spam. This is in contrast to the same statistics a year ago where the number of messages processed per day was around 1 Billion per day and the Spam percentage was around 92%.
 
Sadly, the Spam mix is still about 50% off-brand pharmaceuticals and about 25% knockoff products which tells you what is profitable to the Spammers. If people stopped responding to these advertisements and voted with their cash then the Spammers would not be profitable and would have to look elsewhere for their next easy meal.

Will human nature change overnight?
 
Probably not. Consumers want a good deal and are not likely to change and the Spammers have found a financial niche that they fit into so expect the volume of Spam to continue and even increase as the effectiveness of anti-spam solutions like the Barracuda appliances, which CudaMail is powered by, makes the Spammers job that much harder. They will ramp up their efforts to sneak Spam past such solutions rather than change their nature.
 
- Shaun

The Wild Wild West of a Civilized World

A recent report that Spammers are taking advantage of the interest in the US Elections to try and peddle Viagra along with the other things that Spammers are taking advantage of - like Valentines day - make me think that things are getting worse instead of better and also makes me wonder if we are going to have to go to some form of 'walled city' for our e-mail.

The SMTP standard was designed to be open and people at that time (about 30 years ago now) wanted such an open system that there are now gaping holes that Spammers are using to send a deluge of Spam to our users.
 
What the Spammers are doing at the moment must be effective because I review the daily logs from our systems and this is really brought to light when on a Sunday, not a typical business day, our systems processs in excess of 1.5 million messages. Out of that number less than 13,000 or LESS than 1% (0.866%) were allowed through to the mail servers. Now we don't claim that we can block 100% of Spam so there is a very small percentage that get's through so let's say that 1/10 of 1% of the 13,000 is Spam. That means that out of 1.5 million messages only 13 Spam messages got through to our users.
 
This brings up two interesting questions:

1. How many people are buying from Spammers?

- If only a handful of messages are getting through the Spammers must have a high close ratio and a high margin to make this make economic sense.
 
2. Are we going about solving the Spam problem the wrong way?

- Why should we have to process 1.5 million messages when less than 1% are legitimate?
 
Some organizations have to be more open to whom they accept e-mail from because that is the nature of their business - online sales from almost anyone - but what about those organization that only get a few e-mail messages from a few select partners? Could they setup a closed e-mail system where there is a process to be added to their accept list and reject all other e-mails? They could even setup 2 e-mail domains. The first with a few common e-mail addresses like sales@ support@ and billing@ for their public mail presence and the second - by invite only - domain for their real mail boxes?
 
The first domain will get a ton of Spam but will act like a switchboard with only a few select people having to review the messages and forward them internally to the people that will take action on them. The second domain will not accept e-mail from just any domain so it will be very easy to track down the source of any "Spammy" messages and stop them.
 
What do you think? Have you thought of or implemented a 'walled city' plan for your e-mail? Let us know in the comments.
 
- Shaun

Don't Get Tricked By e-Card Spam!

According to this article at the Internet Storm Center (http://isc.sans.org/diary.html?storyid=4054) the bot handlers are working to build up their Spam sending bot network by sending out e-Card spam.

These seemingly harmless e-mail's claim that there is something special for you, either a joke or a surprise and more often than not will trick you into opening it.

Be part of the solution and don't get tricked by these e-Cards. If you know the sender then confirm with them (not by e-mail) that they really sent it to you.

If they didn't send it or if it is sent anonymously then don't open it no matter how curious you are. There are a lot of other joke sites on the Internet or you can always go have a chat with your Grandpa. :)

- Shaun

What is The Barracuda/CudaMail Outlook Plug-in & How Do I Use It To Reduce The Level of SPAM I Get?

Do you want to educate the CudaMail system so it understands better what kind of e-mail you want to get and what you consider as spam?

Do you want to have a very easy way to submit SPAM and false positive reports?

Do you want an easy way to keep your white list up to date?

If you answered YES to any of the above questions then you may want to try the Outlook Plug-in.

Getting to Know The Outlook Plug-In:

This very simple toolbar can be installed in the Outlook 2000 to 2007 e-mail client (not Outlook Express or the new MS Mail) to give you some additional options and two new buttons. These Green and Red buttons with an envelope and either a Check Mark (good) or Red X (bad) make the process of sending a report back to the system that you consider a message SPAM or Wanted as easy as clicking on the corresponding button. It can't get any simpler than that!

To download the toolbar simply go to the CudaMail Web Portal and click on the 'Get Mail Client Plugins Here' link at the bottom of the page. (this download link is only for current CudaMail customers - if you have a Barracuda Spam Firewall and want the plug-in go talk to your network administrator)

Per-user Web portal is at https://web.CudaMail.com

Once you download the Outlook Plug-in you have to run it to install it so you need to do this with an account that has administrative access to your PC. After it is installed you should be able to get to the 'Spam Firewall' tab under the 'Tools' - 'Options' menu item and it should look something like this:

What Does This All Mean?

Automatically Update White list: When this option is checked off every time you add someone as a new personal contact or e-mail someone then they will be added to your personal white list. While this sounds like a great idea you need to login to your personal options area on the CudaMail system on a semi-regular basis to clear out old or stale white list entries and specifically to make sure your own e-mail address is not on the white list.

A typical spammer trick is to send you spam pretending to be you so you do not want to white list your own e-mail address or you will get more spam.

This can happen by accident if you 'reply all' to an e-mail and don't take your e-mail address off or if you are in the habit of always cc'ing yourself.

Additional Button Actions:

Spam: Permanently Delete Message or Move to Deleted Items folder.

While I like to completely get rid of any spam messages by leaving it on the 'Permanently Delete Items' option you have no way of easily getting back any message you accidently marked as Spam. By setting this option to "Move to - Deleted Items Folder' you can always rescue it from there if you have an accident.

Not Spam: Add E-Mail addresses to Whitelist. When a message come through with the subject tagged as spam '[CudaMailTagged] -original subject' and you click on the Green button to submit a 'falsely marked as spam' report this option will also update your personal whitelist so that this senders e-mail will not be tagged in the future.

There is a second benefit to the plug-in as it is building your own personal database of 'Good' and 'Bad' messages that are unique to you. Once you have marked at least 200 messages of each type then the statistical analysis or 'Barracuda Bayesian Learning' will kick in and provide additional protection against Spam. You will only be able to mark messages that have been processed by the CudaMail system so don't just select everything in your inbox and try to mark them all as 'good'. What you should do is look at the message and ask yourself 'Did this e-mail come from outside our organization and is it a representative sample of e-mail that I want to get in the future?'

This plug-in is also the answer to questions like the following:

1. How do I automatically whitelist all of my contacts?
2. I get so few messages in the per-user quarantine how am I ever going to get 200 'good' messages?
3. How do I send you samples of spam that I don't want?

Does the Outlook plug-in work with Microsoft Vista?

Yes the Outlook Plug-in versions 2.1.0.5 and above work with Microsoft Vista and Outlook 2007. The plug-in version can be found on the licensing screen when installing the plug-in, or in Microsoft Outlook by viewing the Spam Firewall tab in the Options window. The version number will be located in the bottom-right corner of the window.

If you can give the Outlook Plug-in a try. I have been using it myself for the last 2 years and I get a sense of joy every time I can click on the 'Spam' button because I know that this is making the Spammer's job that much harder next time.

- Shaun