Cyber Awareness Bulletin
The following cyber awareness bulletin was issued by the State of Alaska. The information may or may not be applicable to the general public and accordingly, the State does not warrant its use for any specific purposes.
SPAM Removal Facilitates Infection
For those of you using the State supplied POSTINI this may help you appreciate POSTINI even more. However, your home/personal email may not have such anti-spam luxury.
The following link is the original Article. Below the link is the text without all the advertisements.
CLICK HERE TO BECOME INFECTED
By John Leyden (john.leyden at theregister.co.uk)
Published Wednesday 22nd September 2004 09:15 GMT
Users should be wary of pressing the 'click here to remove' link on spam messages because it serves to confirm to spammers that junk mail messages are being read. Such email addresses can be sold at a premium to other spammers.
That's reason enough to simply delete spam messages, but a junk mail message doing the rounds today provides an even more compelling reason. Selecting the 'click here to remove' link on messages blocked by MessageLabs today triggers an attempt to load malicious code onto potentially vulnerable Windows PC.
Alex Shipp of MessageLabs writes: "I have not finished analysing the EXE currently hosted (currently called windows-update.exe), but the spammers can change this at any time by uploading a new Trojan. Typically, your machine may be turned into an open proxy, have passwords extracted, and keyloggers installed.
"So not only do you confirm your email address to the spammers, you also get to host their next spam run, and get your bank account cleaned out," he adds.
The US's CAN-SPAM Act requires junk mailers to put an opt-out link on their wares. It comes as little surprise that this feature is been taken advantage of in a social engineering exploit; but it does illustrate the security problems of the opt-out approach that were always apparent to security experts - and ignored by legislators. ®
The CAN SPAM Act of 2003
Unsolicited commercial e-mail, or "spam", has been an unforgiving intrusion for nearly a decade on America’s 136 million e-mail users. At the end of 2003, President Bush signed into law new legislation that is designed to protect you from the continued onslaught of spam.
At any given moment, Spam accounts for at least 40% of the e-mail traveling across the Internet
The CAN SPAM Act, officially called the "Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003," took effect on January 1, 2004. While it does not place a ban on spam, it does create a set of strict rules that spammers must follow in order to continue their practices legally.
According to this new law, spam:
- Must include an Opt-Out or Unsubscribe mechanism:
Spam must contain a working "unsubscribe" option. This can be achieved by allowing users to reply to spam messages to unsubscribe, or by providing a link to an unsubscribe page. Spammers are required to honor unsubscribe requests within 10 days.
- Must include a valid physical postal address for the sender:
Spam must contain a valid physical postal address in the body of the e-mail that can be used to contact the spammer through the U.S. Postal Service.
- Must use a functioning return e-mail address:
Spam must contain a valid return e-mail address that can be used to contact the Spammer. This return address must remain valid for at least 30 days after the distribution of the spam.
- Must include an advertisement (ADV) label in the subject line:
Recipients of spam must be given upfront explicit knowledge that the e-mail is spam, by having "ADV" in the subject of the e-mail.
- Must use valid header
Spammers are forbidden from sending e-mails with deceptive or misleading information in the "From" and "Subject" lines of the message. Spammers are also frobidden from disguising the origin of the e-mail in any way -- including using false information in e-mail account or domain name registration, or by falsifying information in the extended header of an e-mail.
- Must include a warning label advising sexual content:
Spam containing sexual content must have a warning label describing the nature of the conent in the subject line. There is a 5-year jail penalty for non-compliance with this requirement.
- Must have properly managed lists of addresses:
Spammers may not send spam to addresses obtained through illegitimate means - including the use of e-mail harvesters, dictionary attacks, or random e-mail generators. Furthermore, once an e-mail address has been removed from a spammer’s mailing list, it can no longer be sold to another spammer.
- Must not send spam through servers without authorized access:
Spammers must not gain unauthorized access to servers in order to usurp network and computer resources for the purpose of sending spam.
- Must not send spam through an open relay server:
Open relay servers, which make it possible for an unscrupulous third party to route large volumes of e-mail, must not be used for distributing spam.
Unfortunately, the CAN SPAM Act offers no protection from spam originating outside of the United States. It does stipulate, however, the eventual creation of a reward system that will benefit people who turn in violators of the CAN SPAM Act. Under this proposed system, people who turn in CAN SPAM violators may be entitled to 20% of fines paid.
Read the complete act here: CAN SPAM Act.