Friday 19 January 2007

Symantec: Spammers Forge Phony Newsletters, Trying to Fool Filters

It seems that spammers have a new tactic in their war to get their unwanted... uhhh... content through our spam filters: forged newsletters.

What they're doing is sending messages that look like legitimate newsletters. Nasty. Examples seen so far appear to be from well-known brands such as 1-800-Flowers, Kohl, U.S. Airways, and "a fantasy football league" [Statto the spammer?].

There's no suggestion that the spammers have broken into the sending systems used by these brands. They just seem to be cloning legitimate content and modifying it. In the same way that phishers modify a bank's legitimate transactional messages to link to their own site, these spammers are taking copies of legitimate newsletters and tweaking them to include their spamvertisements.

But why go to all that trouble?

The idea is to take advantage of people's abhorrence of false positives. Spam filters will be carefully programmed, trained, or whitelisted to let legitimate newsletters through. If a spammer can make their spam look like one of these newsletters -- especially a widely-read newsletter -- they can get through the filter and in front of the user's eyes.

The spammers only seem to be testing the tactic right now -- it's at a very low level, but the theory is that if they find this is an effective trick, we'll see it a lot more.

I've not seen the test runs in my overflowing spam traps -- credit for discovering the phony newsletters goes to Symantec. I guess it takes a large organization, with 24x7, follow-the-sun labs to really keep on top of new developments in spam tactics. It's the speed of identifying these sort of early indications that separates the men from the boys, as it were.

Update: Symantec sent a picture to illustrate. Wasn't that kind?

More coverage:

1 comment:

Matt V - Mvern78 said...

We have also seen this at my work place for some mailings sent by our partners. It's curious though that some ISPs are not hard failing based on the authentication standards that they are themselves promoting (SPF, Sender ID, etc...) could stop some of these obvious forgeries if the "-all" flag is used by the sender and the receiver is actually failing the message based on the proper flag.

I realize that SPF/SID are not the end all solution for this problem, but they are a tool to help everyone make better decisions on what to accept and what not to. Getting more senders to move from "~all" to a "-all" will also shift the receivers to fail messages accordingly.

Post a Comment