Terry Zink's Cyber Security Blog

Discussing Internet security in (mostly) plain English

Spoof-and-compromise spam technique

Spoof-and-compromise spam technique

  • Comments 3

An antispam technique that has caused some pain in recent days for some customers is that of compromising a user's email account and then using it to send out spam.  This is an example of what I have earlier referred to as diplomatic immunity - hiding within a good IP range in order to send spam.

Here's how it works:

This message is from an organization messaging center to all something.com email account owners. We are currently upgrading our servers and e-mail account management center. We are removing all unused something.com email accounts to create more disk space for new accounts.

To prevent your account from being de-activated, you will have to update it as directed below so that we will know that it is an active account.

Please send:

Last Name:.......................

E-mail Username : .......... .....

E-mail Password : ................

Date of Birth : .................

Warning Code: KB2Z7F9

YOU ARE REQUIRED TO SEND THESE DETAILS TO OUR UPGRADE ACCOUNT TEAM BY SIMPLY REPLYING TO THIS EMAIL.

Although something.com will not normally ask for passwords by e-mail, we have made a one-time exception to this policy in order to verify with certainty the identity of users requesting e-mail account upgrades.

So, the spammer tricks the end-user into supplying them with the user's email credentials.  Later, the spammer logs in to their email account and sends out a plethora of spam.  Because the spam is originating from a legitimate email account, reputation filters won't catch it (at least not IP-based reputation filters).  Content filters have to be up to snuff in order to catch this.  This is quite similar to spammers breaking the Google/Yahoo/Hotmail CAPTCHA in order to send spam from legitimate MTAs.

The defense against this is to do the following:

  1. Tell your users never to give out their email credentials.  This is a good idea but is likely doomed to failure as given a large enough user base there will always be a sample that will do this nonetheless.

  2. Use technology to solve the spam problem by enabling outbound spam filtering.  If you can't stop users from sending out spam, then at least try to catch it by inspecting the content and taking action on mail identified as spam originating from user's accounts.

  3. Use technology to catch the spoofed (not phished) mail at the inbound.  The problem here is that the spoofed mail tricked the end-users, so a spam filter should catch this in order to prevent users from seeing the mail to begin with.  To help spam filters, you need to implement sender authentication.  SPF, at a minimum, should be used to catch spoofed mail in the SMTP MAIL FROM.  Because spammers can get around SPF by spoofing the P2 From, SenderID is another good technique to use.  Of course, if you use our service, you can enable Terry's Message Authentication

Spammers are creative (sometimes) and are always up to new tricks.  In the past year they have been infiltrating services with known good reputations.  This means that the fallback to content filtering will once again become important in the spam battle.

Leave a Comment
  • Please add 5 and 1 and type the answer here:
  • Post
  • "This is quite similar to spammers breaking the Google/Yahoo/Hotmail CAPTCHA in order to send spam from legitimate MTAs."

    Actually it's easier for at least two reasons.

    (1) Spoofing is easier than breaking captchas.

    (2) In spams or other subsequent mail from the pwned account, besides the sending domain being legitimate, the sending account used to be legitimate.

    By the way this technique has been in use for at least 5 years.

    "Tell your users never to give out their email credentials."

    Yeah I agree.  I was pretty upset when an MSN administrator demanded my credentials for MSN = Live = Passport = MSDN = Connect etc.  Since there was a direct chain of e-mail and the MSN administrator's address was the same as always, I delivered.  Of course MSN didn't fix their bugs.  I ought to change that password again though since enough time has passed after that correspondence.

  • Another technique to fool trained users and regular content and bysian engines is to use legitimate links and sites which has very high reputation. We found <a href="http://www.amirharel.com/2008/04/commtouch-trends-report-q108.html">several examples </a>for search engine results used in spam links.

    I guess that spammers are trying to evade anti-spam engines and human filters by making it as lgitimate as they can.

  • Another technique to fool trained users and regular content and bysian engines is to use legitimate links and sites which has very high reputation. We found for search engine results used in spam links.

    I guess that spammers are trying to evade anti-spam engines and human filters by making it as lgitimate as they can.

Page 1 of 1 (3 items)