Zeus Loves to Spoof


I manage inbound mail for a large set of mailboxes at work; and a number of those mailboxes are on various Zeus botnet spam lists. So, every day, I’m treated to the Zeus botnet “flavor of the day,” giving me insight into who they’re spoofing at any given time. A client asked me why the messages morph so often and I explained that the spammers seem to be continually changing their spam in an attempt evade signature-based identification and blocking. And wow, they sure do morph a lot.
In just the past three weeks, I’ve seen Zeus botnet spew try to pretend to be mail from all of these different companies: Amazon, Bank of America, Bell Canada, Best Buy, Craigslist, Credential Solutions, Esurance, Facebook, Fedex, Groupon, iTunes, LinkedIn, Microsoft, NewEgg, Vistaprint and Zappos. That’s just in three weeks! And I’m not even sure I successfully identified all of the spoofed senders.
This is pretty scary stuff. Uneducated consumers might be fooled into thinking that these are legitimate emails. The companies sending legitimate emails now have to wonder, what can they do to prevent/mitigate these kinds of issues? A smart company probably uses email authentication to help identify their mail as legitimate, but the malicious messages don’t even use their domains. ISPs want to block it, but they’re not always easily identified. It seems to me that impeding delivery of this kind of bad mail requires a whole bunch of moving parts, involving multiple stakeholders in the email ecosystem.
For starters…

  • Companies should authenticate their email messages and email streams. This should be a no brainer, right? Not everybody agrees about the value of email authentication, but if it’s done right, it’s a valuable, stable identifier for domain reputation.
  • Senders and receivers need to agree on rejecting or otherwise more strenuously filter mail that fails authentication. The hotly debated ADSP add-on to DKIM attempts to offer this, but I’m not convinced receivers will utilize it.
  • ISPs need to get better about preventing outbound spew. Port 25 blocking isn’t a new concept, yet few ISPs utilize it. Why not?
  • Quick tracking of sending reputation and fingerprinting of malicious content, for purposes of blocking. Does this exist today? Are ISPs and filterers quick enough at blocking inbound spam in progress?
  • Law enforcement plays a role, as well. But, they’re often slow moving and often have other priorities. And even when they do move, it may not be enough. A bunch of people were arrested in connection to Zeus, but it keeps on trucking.
  • Consumer education; helping end recipients understand what constitutes a  good email message or when a message shouldn’t be trusted. This is necessary, important, but there are always going to be some classes of users that fall for this kind of stuff. Think of it as the “grandma factor.” You really expect that your grandmother will understand what constitutes a malicious message?

That’s what I’ve come up with, off the top of my head. What would you add to this list?

About the author


Add comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

By aliverson

Recent Posts


Follow Us