20
- November
2010
Posted By : Gom Jabbar
Spamlords vs Cisco CSC-SSM-10

Late night with the Cisco CSC-SSM-10 again, and I’m snuffling like a keen beagle through a week’s worth of accumulated spam that has collected into a catchall address.

The same spam coming from different sender addresses
The same spam coming from different sender addresses

Sweet Jaysus. What is the point of all this spam? Does anyone ever make any money with these messages, or are they just a trojan delivery system? A bloody nuisance, reducing the signal-to-noise ratio, wearing down the Net’s general bonhomie by attrition. It is preferable to think that this may be some sort of sophisticated corporate strategy disguised as inane emails, meant to increase the deployment of intelligent mechanical sentries. The more spam that floods into inboxes, the more money spent on spam filters, and the smarter the filters become.

I bet this is how SkyNet got enough of a foothold to take over the world.

In the background, another James Cameron movie’s on the telly. Titanic. I haven’t watched this in years. What promised to be a fairly pedestrian love story (with crude feminist symbolism thrown in for the Oscar voters) has been interrupted by the arrival of a ton of floating ice. Panic is just starting to turn the crowd of passengers into a mob. Everyone’s scrambling around the deck to get a seat on a lifeboat.

Our plucky young protagonists ask slow-moving old Colonel Gracie if he knows whether there are any lifeboats left. He says, “Yes, all the way forward. I’ll lead the way.” The pendulous voice of established authority. But our quick young heroes take this information and run off on their own, nimbly weaving through the crowd. I’ve always remembered that little exchange. Why should you let someone else lead the way?

The problem with the CSC-SSM-10 is the Approved Senders List (and Blocked Senders List) only allows you to block:

  • specific addresses, or
  • entire domains

No wildcards.

In the screenshot below, we have approved linda.lee@arcade.com (a specific sender address) and the entire armitage.com domain. All mail from any sender address belonging to the armitage.com domain will be accepted. We’ve also blocked molly@razorgirl.com (a specific sender address).

Approved Senders List configured via the Trend Micro InterScan web interface
Approved Senders List configured via the Trend Micro InterScan web interface

So what happens when the spammer is using different iterations of sender addresses from a domain that you cannot block? In the screenshot below, 3Jane and her later iterations are sending the same spam message.

How can we block the Serialz spam without blocking the entire Tessier-Ashpool.SA domain?
How can we block the Serialz spam without blocking the entire Tessier-Ashpool.SA domain?

What if you normally receive a lot of legitimate emails from the Tessier-Ashpool.SA domain? If there are only a few senders, you could add them to the Approved Senders list and block the rest of the Tessier-Ashpool.SA domain. If we cannot block the entire Tessier-Ashpool.SA domain, we’ll either have to block each of the Jane addresses individually (time-consuming) or block the email Subject (better solution).

Trend Micro InterScan Email Subject Filter
Trend Micro InterScan Email Subject Filter

The Message Subject and Body filter is more flexible. You can specify words (especially useful to filter out naughty words that would violate acceptable use policies, and should not be allowed in any way) or entire phrases (more specific targeting since the exact phrase must match, not the component words which may be benign).