Spammers Tapping into Legit Reputations
It's not a hugely new development, as spammers have long sought to tie their work to legitimate topics and properties, but researchers have noted that the schemers are increasingly using the names, likenesses and even the online infrastructure of genuine organizations to defeat ISP filtering tools.
As highlighted in Commtouch Software's third-quarter 2008 E-Mail Threats Trend Report, (PDF) released Oct. 16, growing numbers of spammers who have become frustrated with the ISPs' success at blocking their campaigns are more actively spoofing legitimate senders and even hacking into their accounts to get malware links and other e-mail-borne treats into more people's in-boxes.
In that sense, the spammers are gaming the whole notion of reputation-based e-mail filtering, a tactic that ISPs have espoused as one of their most effective tools in identifying problem senders and IP addresses.
"Internet service providers and enterprises are implementing a broad range of filtering tactics, including filtering based on sender reputation, which in turn impact how spammers and malware distributors can reach their goal of penetrating inboxes," Amir Lev, CTO of Commtouch, said in a report summary.
"The growing trend is for spammers to adopt the good reputation built up by other sites and senders in order to bypass reputation-based e-mail filters. They accomplish this in a number of ways, including stealing legitimate e-mail senders' credentials, or compromising e-mail account enrollment processes and automatically registering thousands of free e-mail accounts," Lev said. "This puts ISPs in the uncomfortable position of becoming the source of outbound spam rather than just trying to protect their subscribers from receiving spam."
Again, that's really nothing new for the ISPs, which are already dealing with loads of zombified machines owned by the actual customers that have been turned into spam depots.
However, it has to be frustrating to see one of their best methods for stopping spam being circumvented with relative ease (at least from a technical standpoint).
Among some of the techniques that spammers are using to this end, Commtouch lists:
-Signing up for thousands of free e-mail accounts through the use of compromised CAPTCHAs, allowing spammers to generate a nearly unlimited supply of free e-mail accounts from which to send their messages, without intervention.
-Gaining access to legitimate e-mail accounts via phishing schemes, including many aimed at the student populations at various universities, allowing them to abuse the school's domains.
-Using legitimate hosting sites to host their illegitimate content and creating multiple redirection pages on these sites using compromised CAPTCHAs.
So, this just reinforces the point that users need to look at nearly every message they receive with a critical eye, no matter who or where it looks like it comes from.
In other spam trends, Commtouch reported that:
-Spam levels throughout the third quarter averaged 77 percent of all e-mail, as during the previous quarter, ranging from a low of 61 percent to a peak of 94 percent between July and Sept. 2008.
-Over half of botnet zombies change their IP address daily to evade detection, with Germany having the fastest rate of zombie IP address turnover, at approximately 79 percent per day and China second at 78 percent turnover per day.
-New spam tactics during the quarter included links to Flash (.swf) files, ASCII art spam and hidden Bayesian poisoning text combined with HTML tricks.
As usual, there's no shortage of spam to feast on -- happy clicking.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWEEK and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.