Spammers Adopt New Tactics

Learn how to guard your users and Web sites against two new attacks, one that redirects people from Google to spammer Web sites and one that hijacks CAPTCHA images.

ITPro Today

November 13, 2007

3 Min Read
ITPro Today logo in a gray background | ITPro Today

Got spam? Of course you do. For the life of me, I cannot understand the minds of spammers. They're simply not mentally healthy individuals, as evidenced by their escalating intrusions into our inboxes and Web browsers.

So how bad is the problem now? According to statistics published by Distributed Checksum Clearinghouse (at the URL below), the volume of spam has nearly doubled since November 2006 and has at least tripled since November 2005. I'm sure other entities that track such statistics have data that indicates the same trend.

http://www.dcc-servers.net/dcc/graphs/?resol=2y&BIG=1#graph1

Recently, spammers have taken on new tactics to bypass various spam filters used by Web sites and for email processing. A recent item on Symantec's Security Response blog says that spammers are using Google to redirect people to spammer Web sites. When I first heard the report, it seemed surprising that Google could be taken advantage of by spammers. But there's a simple explanation of how it can happen.

Due to certain parameters that can be passed as part of a URL, spammers can mask the URL of a spam or malware Web site in an email message (rendering URL blacklists useless!). The technique involves first crafting a Google query that returns only the single page that spammers hope someone will visit. The spammer then adds a variable to the end of the Google query URL that causes Google to instantly redirect the browser to the spammmer's Web page.

Fortunately, you can create a custom filter to catch the trick, assuming of course that your spam filter system allows you to write custom rules. Simply look for "google.com" and "&btnl=" in any URL string. You can read more about the trick and the block at the URL below.

http://www.symantec.com/enterprise/security_response/weblog/2007/11/googles_advanced_search_operat.html

A recent item on McAfee's Avert Labs blog (at the URL below) tells how Web spammers are using a distributed method of solving CAPTCHAs--those images with numbers and letters that you have to read and then type into a form field before submitting the form.

http://www.avertlabs.com/research/blog/index.php/2007/11/01/the-captcha-challenge/

In a nutshell, spammers are now capturing legitimate Web sites' CAPTCHA images in real time and inserting them into their own Web pages that offer some type of enticing free content. Visitors that want to gain access to that free content must enter the CAPTCHA solution. What they don't know is that the CAPTCHA came from another site. When the visitor enters the solution, the spammer sends the solution to the originating site thereby getting past the CAPTCHA spam filter.

Fortunately there's a way to defeat this type of spamming too: Don't use images for CAPTCHAs. Instead, use a lengthy set of text-based questions and answers, and randomize the HTML that wraps the questions so that they can't be easily parsed by spammers' code.

On a semi-related note, if you're using DNS blacklists, you might be interested in an entry I read at Al Iverson's DNSBL Resource blog. Iverson set up a spam trap to determine which DNS blacklists are most accurate. Based on his tests so far, Spamcop and Spamhaus operate the best blacklists. Neither site mistakenly tagged any legitimate email as spam. On the other hand, Iverson found that SORBS tagged about 10 percent of his legitimate email as spam. I'll add to Iverson's findings that, based on my experience, SORBS blacklists entire class C networks due to the violations of a few servers within those networks. You can read Iverson's article at the URL below, wherein you'll find a link to his statistics, which will give you a good idea of which blacklists to consider using.

http://www.dnsbl.com/2007/03/how-well-do-various-blacklists-work.html

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like