State of Alaska, Department of Administration, Enterprise Technology Services

Departments >  Administration > ETS > Security > Security Awareness > Awareness Bulletin - Spam

Cyber Awareness Bulletin

The following cyber awareness bulletin was issued by the State of Alaska. The information may or may not be applicable to the general public and accordingly, the State does not warrant its use for any specific purposes.

SPAM Removal Facilitates Infection

OVERVIEW

For those of you using the State supplied POSTINI this may help you appreciate POSTINI even more. However, your home/personal email may not have such anti-spam luxury.

The following link is the original Article. Below the link is the text without all the advertisements.

http://www.theregister.co.uk/2004/09/22/opt-out_exploit/

CLICK HERE TO BECOME INFECTED

By John Leyden (john.leyden at theregister.co.uk)

Published Wednesday 22nd September 2004 09:15 GMT

Users should be wary of pressing the 'click here to remove' link on spam messages because it serves to confirm to spammers that junk mail messages are being read. Such email addresses can be sold at a premium to other spammers.

That's reason enough to simply delete spam messages, but a junk mail message doing the rounds today provides an even more compelling reason. Selecting the 'click here to remove' link on messages blocked by MessageLabs today triggers an attempt to load malicious code onto potentially vulnerable Windows PC.

MessageLabs is blocking spam linking to the domains www. xcelent.biz (space deliberately inserted) which, if users click on the remove link and scroll down the page triggers a DragDrop JavaScript exploit. This uses an IE bug to download and run an EXE file, currently been analysed by MessageLabs.

Alex Shipp of MessageLabs writes: "I have not finished analysing the EXE currently hosted (currently called windows-update.exe), but the spammers can change this at any time by uploading a new Trojan. Typically, your machine may be turned into an open proxy, have passwords extracted, and keyloggers installed.

"So not only do you confirm your email address to the spammers, you also get to host their next spam run, and get your bank account cleaned out," he adds.

The US's CAN-SPAM Act requires junk mailers to put an opt-out link on their wares. It comes as little surprise that this feature is been taken advantage of in a social engineering exploit; but it does illustrate the security problems of the opt-out approach that were always apparent to security experts - and ignored by legislators. ®


The CAN SPAM Act of 2003

Unsolicited commercial e-mail, or "spam", has been an unforgiving intrusion for nearly a decade on America’s 136 million e-mail users.  At the end of 2003, President Bush signed into law new legislation that is designed to protect you from the continued onslaught of spam.

At any given moment, Spam accounts for at least 40% of the e-mail traveling across the Internet

- www.spamfilterreview.com

The CAN SPAM Act, officially called the "Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003," took effect on January 1, 2004.  While it does not place a ban on spam, it does create a set of strict rules that spammers must follow in order to continue their practices legally.

According to this new law, spam:

  • Must  include an Opt-Out or Unsubscribe mechanism:
    Spam must contain a working "unsubscribe" option.  This can be achieved by allowing users to reply to spam messages to unsubscribe, or by providing a link to an unsubscribe page.  Spammers are required to honor unsubscribe requests within 10 days.
  • Must  include a valid physical postal address for the sender:
    Spam must contain a valid physical postal address in the body of the e-mail that can be used to contact the spammer through the U.S. Postal Service.
  • Must use a functioning return e-mail address:
    Spam must contain a valid return e-mail address that can be used to contact the Spammer.  This return address must remain valid for at least 30 days after the distribution of the spam.
  • Must  include an advertisement (ADV) label in the subject line:
    Recipients of spam must be given upfront explicit knowledge that the e-mail is spam, by having "ADV" in the subject of the e-mail.
  • Must  use valid header information:
    Spammers are forbidden from sending e-mails with deceptive or misleading information in the "From" and "Subject" lines of the message.  Spammers are also frobidden from disguising the origin of the e-mail in any way -- including using false information in e-mail account or domain name registration,  or by falsifying information in the extended header of an e-mail.
  • Must  include a warning label advising sexual content:
    Spam containing sexual content must have a warning label describing the nature of the conent in the subject line.  There is a 5-year jail penalty for non-compliance with this requirement.
  • Must  have properly managed lists of addresses:
    Spammers may not send spam to addresses obtained through illegitimate means - including the use of e-mail harvesters, dictionary attacks, or random e-mail generators.  Furthermore, once an e-mail address has been removed from a spammer’s mailing list, it can no longer be sold to another spammer. 
  • Must not  send spam through servers without authorized access:
    Spammers must not gain unauthorized access to servers in order to usurp network and computer resources for the purpose of sending spam.
  • Must not  send spam through an open relay server:
    Open relay servers, which make it possible for an unscrupulous third party to route large volumes of e-mail, must not be used for distributing spam.

Unfortunately, the CAN SPAM Act offers no protection from spam originating outside of the United States. It does stipulate, however, the eventual creation of a reward system that will benefit people who turn in violators of the CAN SPAM Act. Under this proposed system, people who turn in CAN SPAM violators may be entitled to 20% of fines paid.

Read the complete act here: CAN SPAM Act.