Thursday, March 22, 2007

Spammers Replying To E-mail You Did Not Send

By Coenraad De Beer

Spammers are always on the lookout for ways to bypass our spam filters. Lately they have been very successful at this, because many people are complaining that tons of e-mails are getting past their spam filters. Spammers are combining old techniques with new ones, making it hard for even the most advanced and best trained Bayesian spam filter to keep junk mail out of our mailboxes.

Last year I came across a poster on Yahoo! Answers asking for advice on a strange e-mail she received. According to this poster she received a reply from someone on an e-mail she never sent. She immediately thought that the spammer hacked her e-mail account, sent an e-mail to himself and then replied to it. This is not impossible, but there are easier ways to do this, without hacking an e-mail account.

E-mails are plain text documents that can be modified and manipulated with a simple text editor like Notepad. The spammer simply saves any e-mail to a file, opens it with Notepad and puts your e-mail address in the "From" field. The spammer then imports it into an e-mail client and replies to this manipulated e-mail. This is only one of many ways to manipulate an e-mail message.

Spammers normally use a technique called hash busting. Hash busting is when you add random text at the beginning or at the end of an e-mail. The text makes no sense and consists of excerpts from books, articles and news bulletins. This text randomises the size, as well as the contents of the e-mail, making it hard for spam filters to find a pattern in the e-mail to base its filtering decisions on. For instance, an e-mail consisting of an image only will normally be flagged as spam, but if someone adds random text below the image, it changes the pattern of the e-mail and the spam filter can no longer use the criteria mentioned earlier to label the e-mail as spam. There are legitimate e-mails like this and the spam filter needs additional training to know which e-mails with embedded images, containing text below the image, are spam and which ones are not.

Some spammers realised that people became suspicious of the senseless text in spam e-mails, so they started to hide the text by making the colour of the text the same as the background colour. Other spammers make the size of the text so small that it appears like a horizontal line between paragraphs or at the bottom of the e-mail. The techniques used to conceal the hash buster text are easily detectable by a good spam filter because no decent person will send someone else an e-mail with hidden text or text that cannot be seen with the naked eye. So the spammers fail more often to get their e-mails through the spam filters when they use cloaking techniques like this.

Spammers needed a way to make the hash buster text look legitimate to the user as well as the spam filter. This is when they came up with the idea of pretending to reply to an e-mail message that was never really sent to them in the first place. The spammer creates the forged e-mail with hash buster text and then replies to it. The spammer still enjoys the benefits of the hash buster text coupled with a better chance to get past any spam filter, because the e-mail appears like a legitimate reply to a previous e-mail sent by the victim. A reply to an e-mail you sent to someone else is seldom unwanted and the spam filter will therefore be less suspicious about it, unless it contains specific keywords and phrases that trigger the spam filter.

But there are more consequences for the victim than just a spam filter not being able to filter the e-mail as spam. Spammers can include anything in these fake e-mails. They can even pretend that you enquired about one of their products. Instead of spamming you with an unwanted e-mail, they pretend to send you a reply to your initial enquiry, an enquiry you never sent. Abuse departments can easily use this as an excuse not to take action against the spammer. They may argue that the spam victim did not receive an unwanted commercial e-mail, because the victim enquired about something and the accused simply replied to that enquiry. Luckily abuse departments need to prove that the original e-mail was really sent before rejecting the complaint, but we all know that very few abuse departments actually take any spam reports serious these days.

It is because of the lack of proper legislation as well as poor implementation and enforcement of existing legislation that we have to deal with waves of spam every day. We are constantly one step behind cyber criminals and our current spam filters cannot keep up with all the tricks and techniques used by spammers to force their junk down our throats. There is a widespread appeal for better filtering and alternative communication methods. There is merit in developing better spam filters, but how do you replace a communication medium like e-mail without disrupting individuals and businesses that depend on it every day to stay in contact with friends, family and clients? What's the use of taking away a communication medium if you do not take action against the individuals who abuse it? It will only be a matter of time before spammers start to abuse the system replacing e-mail. You need to take action against the root of the problem and not the infrastructure through which the problem occurs.

About the Author
Coenraad is webmaster and founder of Cyber Top Cops, leaders in Internet security, prevention of online fraud and educating users about online scams and malicious software.

No comments: