|< Day Day Up >|| |
In a world where e-mail is a vital piece of communication, many companies that work with newsletters or e-magazines make sure that spam filters recognize their e-mail as legitimate communication, not as spam. This is especially important when a company’s success depends on e-mails being delivered. How successful would Paypal or Amazon be if every e-mail that was sent from their network was filtered? Because of this, many spam filters come with default white lists; if the recipient’s e-mail address matches one of the addresses on the white list, the e-mail scores significantly lower (up to 20 to 30 percent lower in some cases).
The most common default addresses on a white list include:
Impersonating a large company such as Paypal, Amazon, or Internic is illegal. If you are a prolific spammer and are making a large amount of money from spam, impersonation is not a good idea. It becomes significantly harder to remain anonymous when you are making $50,000.00 a month. These companies will become highly annoyed if you impersonate them.
Listserv.ntbugtraq.com is the domain that runs the popular NT-BugTraq mailing list. Thousands of users subscribe to this list and over fifty e-mails are sent daily to all of its readers. The majority of readers on NT-Bugtraq are the same people who design and create the security policies that the Internet is based on, and thus tend to take their e-mail delivery very seriously. It should come as no surprise that by default Spam Assassin contains the following rule:
def_whitelist_from_rcvd *@LISTSERV.NTBUGTRAQ.COM lsoft.com
This recipient domain is known for sending legitimate e-mail. Any spam sent from this host will automatically have its score lowered by 15 points. This leaves a lot of room for increasing the spam score with phrases such as “Buy my Viagra,” “Home-loans,” and “OEM software.”
Many spam filters allow you to define personal white lists of recipient e-mail addresses or domains that have guaranteed message delivery. All a spammer has to do is send the right recipient address. It’s not hard to ride on the credibility of another host when mailing lists use highly predictable recipient addresses. This method can be made even more effective by injecting false headers that suggest the spam came from the mailing list’s real host—an easy and highly believable confusion technique that adds to the message’s credibility while confusing the recipient into thinking a mailing list sent the spam. Example 5 depicts a header section from securityfocus.com:
Received: from unknown (HELO outgoing2.securityfocus.com) (205.206.xxx.xx) by 0 with SMTP; 6 Sep 2004 20:48:15 -0000 Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.xxx.xx]) by outgoing2.securityfocus.com (Postfix) with QMQP id B41E1143710; Mon, 6 Sep 2004 13:06:37 -0600 (MDT)
The legitimacy of these headers will help evade social filters; anyone who subscribes to the particular exploited mailing list may be confused into thinking the message originated from the original mailing list.
|< Day Day Up >|| |