Spoof-and-compromise spam technique

  • Article

An antispam technique that has caused some pain in recent days for some customers is that of compromising a user's email account and then using it to send out spam.  This is an example of what I have earlier referred to as diplomatic immunity - hiding within a good IP range in order to send spam.

Here's how it works:

This message is from an organization messaging center to all something.com email account owners. We are currently upgrading our servers and e-mail account management center. We are removing all unused something.com email accounts to create more disk space for new accounts.

To prevent your account from being de-activated, you will have to update it as directed below so that we will know that it is an active account.

Please send:

Last Name:.......................

E-mail Username : .......... .....

E-mail Password : ................

Date of Birth : .................

Warning Code: KB2Z7F9

YOU ARE REQUIRED TO SEND THESE DETAILS TO OUR UPGRADE ACCOUNT TEAM BY SIMPLY REPLYING TO THIS EMAIL.

Although something.com will not normally ask for passwords by e-mail, we have made a one-time exception to this policy in order to verify with certainty the identity of users requesting e-mail account upgrades.

So, the spammer tricks the end-user into supplying them with the user's email credentials.  Later, the spammer logs in to their email account and sends out a plethora of spam.  Because the spam is originating from a legitimate email account, reputation filters won't catch it (at least not IP-based reputation filters).  Content filters have to be up to snuff in order to catch this.  This is quite similar to spammers breaking the Google/Yahoo/Hotmail CAPTCHA in order to send spam from legitimate MTAs.

The defense against this is to do the following:

  1. Tell your users never to give out their email credentials.   This is a good idea but is likely doomed to failure as given a large enough user base there will always be a sample that will do this nonetheless.

  2. Use technology to solve the spam problem by enabling outbound spam filtering.   If you can't stop users from sending out spam, then at least try to catch it by inspecting the content and taking action on mail identified as spam originating from user's accounts.

  3. Use technology to catch the spoofed (not phished) mail at the inbound.   The problem here is that the spoofed mail tricked the end-users, so a spam filter should catch this in order to prevent users from seeing the mail to begin with.  To help spam filters, you need to implement sender authentication.  SPF, at a minimum, should be used to catch spoofed mail in the SMTP MAIL FROM.  Because spammers can get around SPF by spoofing the P2 From, SenderID is another good technique to use.  Of course, if you use our service, you can enable Terry's Message Authentication

Spammers are creative (sometimes) and are always up to new tricks.  In the past year they have been infiltrating services with known good reputations.  This means that the fallback to content filtering will once again become important in the spam battle.