Spammers cloak their reputation

A major trend throughout 2008 that intensified during the third quarter is spammers’ increased use of cloaking techniques to hide their poor reputation behind someone else’s good reputation. This means that instead of sending email from a known spam IP address or – more commonly – from an infected bot server, spammers are finding new ways to send messages using valid or known mail servers, mainly webmail accounts, which have a reputation as a legitimate email source. Spammers have been forced to adopt these techniques due to the constantly improving filtering tactics used to thwart them.

These anti-spam tactics include:

• Stricter implementation of filtering policies by service providers,
• Greater adoption by service providers and enterprises of authentication standards such as DKIM and SPF,
• More widespread use of reputation services that check senders’ reputation at the connection level before allowing an email connection to be initiated.

These email blocking maneuvers make it much more difficult for spammers to penetrate their messages into organizations, and has forced them to come up with more creative infiltration methods, including hijacking good reputation to camouflage their own poor reputation.

There are several methods spammers use to hijack good reputation, in order to make use of it to deliver their unwanted mail:

• Spammers sign up for thousands of free email accounts, through the use of compromised CAPTCHAs. CAPTCHAs (short for Completely Automated Public Turing test to tell Computers and Humans Apart) are word images used to ensure that a human being is filling out a registration form, as opposed to a machine. Algorithms to break CAPTCHAs are readily available to purchase for illicit use, enabling spammers to generate a nearly unlimited supply of free email accounts from which to send their messages, without intervention.
• In order to gain access to legitimate email accounts without registering them themselves, widespread phishing attacks can persuade enough unwary users to provide their legitimate credentials to criminals. The extensive outbreaks of this sort to the student populations at various universities were described in the second quarter 2008 trend report.
• Spammers often use legitimate hosting sites to host their illegitimate content. They can also create multiple redirection pages on these sites using compromised CAPTCHAs. Sites put in this awkward position recently include: live.com, tripod.com, and photoshosting.com.

Below is a sample email from an outbreak late in the third quarter that took advantage of Microsoft’s Live.com site to redirect to a spam casino site.

Source: Commtouch Q3 2008 Email Threats Trend Report.