Paid Advertising
web application security lab

Archive for the 'spam' Category

Referral Spam Tactics

Tuesday, March 13th, 2007

This isn’t truly a new referral spam tactic, but it it’s probably not well known, especially amongst people who don’t run their own websites. I got an email from someone who thought that somehow some porn site had inadvertently linked to them and started to send them tons of traffic. In fact it was quite a few sites that they had thought were sending them traffic. He thought someone had mis-configured something and it was working to his advantage. As a result he put up a link back to their sites, thinking he could get more traffic. It turns out he was playing completely into their hands. He had been social engineered.

The URLs are pretty sneaky: (obviously the string itself has been changed). So I searched for pr0nsitename and found that dozens of hits were coming in from msn and Each one of them were cloaking and sending indexing themselves really high. When you actually went to that msn or page you can see the URL linking back to me (something like this): Upon inspection you can see it’s a simple rediction to detect that I, in fact, started sending them traffic if I post a link pointing to them.

After some more digging I found that if you take any one of the IPs you can find that it comes from more than one different porn search. Hmm… what are the chances that a single IP address found it’s way to my site through two completely different redirects from porn sites? Uhm… I’ll give you a hint, it’s zero. The point is you cannot trust referring URLs. I barely look at them anymore, except to diagnose issues. You should not trust referring URLs from porn sites, you should definitely not click on them and you should absolutely definitely not post them on your site thinking you’ll get more traffic from it. It turns out that every single hit that both he and I got from this particular porn site was robotic. Yup, that’s bad.

Open Relay Database Is Shutting Down

Thursday, December 21st, 2006

This link probably won’t work in another week or so, but according to their website the open relay database is shutting down. This is an interesting turn of events. Their reasoning is that people who are running it have found other things to do and that the spammers have changed tactics. There may be some logic fallacy here, let’s think about this for a second.

First of all one of the reasons spammers changed tactics was because it was no longer as effective as it was before. That was due in large part to companies getting on blacklists because they had open relays that they didn’t even know about. So the problem was sort of fixing itself, leaving the spammers with fewer and fewer relays. That did, in fact, make the spammers change tactics. That doesn’t mean that the problem will stay fixed though. Let’s think about how companies use ORDB: when a mail is sent the server does a DNS lookup against with the IP prepended to it, if it comes back as a positive, it means the host is a relay and it shouldn’t send the email.

Now that the open relay database is gone, there are a few funky things that could happen. 1) You could see a delay in processing time with a lot of mail servers that rely on the ORDB domain being up to check their blacklist. Since the server is no longer up, and the DNS entries are going away the lookup will have to fail before it works. Postmasters, it’s time to upgrade. 2) You may start seeing a sharp rise in the amount of relays out in the world, allowing the spammers to move back to their old tactics. 3) The ORDB guys “recommend a combination involving greylisting and content-based analysis (such as the dspam project, bmf or Spam Assassin).” Until that happens you may also see an increase in spam while the postmasters upgrade their systems.

Yes, the ORDB was sort of outdated technology, but that doesn’t mean it wasn’t needed. However, only time will tell what the full impact will be.

99 Email Security Tips

Sunday, November 26th, 2006

I ran across this article today on 99 ways to secure your email. Largely it’s email etiquette and efficiency fluff and there are really only a small handful of actual ways to secure your email in it (numbers 78-99). There are a few tips that I’d tell people that are definitely not mentioned on their list. Here are a few from my personal list:

1) Turn off preview panes. When you click an email and it shows up in the preview you are rendering the remote images and the click-tracking that spammers use to verify the email lists executes. That alerts them to the fact that you a) are a real user and b) are a user who reads spam. Having your email automatically open also increases the likelihood of email client automatic exploitation. None of those are good, so turn off the preview pane.

2) Don’t put email addresses or sensitive corporate information into out of office emails. If you are out of office, just tell them the name of who to get in contact with. If they know anything about your company they’ll know how to get in touch with the front desk and use the person’s name to get in touch with them. A number of times people have set out of office messages with stuff like, “If you need information on super secret project x please contact….” Firstly, that’s bad if it’s someone who doesn’t really know you (sales people, etc…) secondly, if it contains email addresses those too can be scraped by the spammers who watch the return addresses for bounces.

3) Use domain keys, SPF (sender policy framework) records or other tools to reduce spoofing. If you want to allow people to know if you are legitimately sending email from all users on your domain without causing them too much grief, install domain keys or use SPF records to reduce the likelihood of people successfully spoofing your email. PGP signing is great but it only works for the one person using it, unlike domain keys.

4) Unlike what the article says do NOT use Yahoo or Hotmail as methods to send anonymous emails. Both send headers showing the recipient where you are originating from. Use something like hushmail instead.

5) Create custom email accounts for specific applications. I’ve seen a number of people who have begun building out vanity email addresses based on the specific site they are visiting, EG:

6) Validate users who are allowed to send email to you. This is an ugly one but by only allowing people who you have authorized to email you you can significantly reduce unsolicited email. You had better not use one of these accounts for anything you want to get electronic receipts for, but for personal accounts it’s a pretty decent solution.

7) Use a fake or modified name on each site you visit. If my name is “John Smith” I could use something like John Petsmart Smith will allow me to know that Petsmart has sold my email information when I get spam or phishing emails in the future.

Anyway, there are dozens of ways to secure your email. I’m sure everyone can contribute to this list. It’s a huge topic, that they really only scratched the surface of.

Email as Half Factor Authentication

Thursday, November 9th, 2006

Over the last several years I’ve noticed a disturbing trend in web application security - the use of email as a form of authentication. Once upon a time web application security was a very obscure concept, and as such it made sense to rely on a simple (although largely inaccurate) assumption which is that users have complete control over their email address. Let’s think about this for a second. How are emails being used today?

According to MAAWG between 80-85% of all email is abusive. Okay, so the user is inundated with spam, viruses, trojans, phishing emails and other scams and that represents the vast majority of email they will receive. That means a pathetic 15-20% of email is actually “good” or non-abusive.

I don’t have any real data to back up how many email accounts worldwide have been compromised but I do have statistics on how many of the top two web mail servers have been compromised with some form of attack. Both Hotmail and Yahoo mail have had issues, but let’s not forget Gmail too. At one point I met with an AOL business person and they told me that the number of account takeovers they had were “in the percentage” range. He was unwilling to tell me how many percent, but even if it’s 1% of users that represents over 500,000 accounts.

Okay, so email is both insecure and highly targeted for malicious activities. Now let’s look at how companies are using it. Many companies still require that users use an email address as the primary username for their accounts for logging in. Companies reference the accounts as such. That makes it extremely easy to identify users, and potentially difficult to guess since there are billions of email addresses out there. However (and here’s the fatal flaw) the servers allow access to their websites by using email as a forgot password function.

So an attacker can get access to your email, (given the flaws in the webmail systems) they can look through the email, (since they have access to it) they can connect to the websites (which you have kept information on), they can use the forgot password function, (which generally asks for nothing more than an email address) and now they have access to your account.

Websites use email as a form of half-factor authentication. While it isn’t something you have, it is something you know that is not normally out of your control. In this way it is very easy to gain access to websites given access to an email account. People don’t generally think of their web mail as being a critical asset. That’s where they sign up for random websites since they don’t want to use their work account while shopping for lingerie. But by putting so much faith in the webmail application they now have risked whatever can be done on any website they they have an account with. A disturbing trend, to be sure.

Spam-me-not Obfuscation

Monday, October 23rd, 2006

I saw an interesting link today that reminded me a lot of the XSS Calculator. I wonder why. No, really I actually don’t wonder why - it’s practically the same thing. Spam-me-not is designed to allow people to use the mailto: functionality as they would today but obfuscating the URL using a mix of HTML and HEX characters. Cool in concept, but pretty trivial to beat. The cost to modern day robots is next to none to do the sort of backwards conversions required to get the real text.

I think the value in this is fairly limited. Spam is sort of a way of life these days. Email is really taking a back seat to other forms of internet communcation like instant messaging and oversees you’re beginning to see a lot of voice over IP traffic. It just makes more sense. Email has been around for 15 or 20 years now, and the spammers are always ahead of the anti-spammers. That’s not entirely true though. I’ve got a few account that get thousands of spam emails a day, and I see none of it. It’s pretty remarkable actually.

This form of obfuscation that spam-me-not provides is probably effective at the lowest common denominator of spam bots. And as more people use this form of obfuscation, developers will spend the 10 seconds necessary to write the code to decode it (they don’t even have to write it from scratch since it’s already out there). All of this reminds me of the DMCA problem. If you release software that has to be decoded at some point there is nothing you can do to stop that decoded information from being logged elsewhere. It’s the nature of software. Oh well, maybe some people will find some use for spam-me-not - while the rest use email forms.

Referrer Spam Plus CSS History Equals Effective

Sunday, October 15th, 2006

It occured to me today as I looked over the referrer spam in my logs that it is particularly ineffective these days. For those of you who aren’t webmasters or don’t look at your logs very often, referrer spam is when spiders connect to your website and send a fake HTTP_REFERER (sic) header that incorrectly tells you that someone is linking to you. Most of the time it’s pretty ineffective, however, with Jeremiah’s CSS history hack, it might be far more useful.

It stands to reason if I’m an administrator of a website I’ve probably been to the homepage at some point in my last browser session. Of course I can turn that off the cross domain leakage with Safe History but no one uses that so the attack is pretty effective. If you know there is a single choke point (like a login page) that the administrator must use that’s even better, as they will have to use it to view their logs.

By verifying that the person looking at the logs is the person viewing the site in the logs the spammer can be sure that the webmaster views their logs and does something with them that may be effective in generating traffic. This is similar to how email spammers put tracking links on their email to watch open rates against particular emails (that’s why you should never auto-render images and you should never use the preview pane as that opens them automatically). Anyway, new attacks using this old hack are always interesting to me.

XSS Keyword Used To Defeat Baysean Spam Filters

Wednesday, October 11th, 2006

I was pretty amazed when I read this, but it is starting to make more and more sense the more I think about it, but “geek speak” is being used to defeat Baysean Spam filters. According to MessageLabs (who I happen to think is one of the best managed anti-spam services out there) using simple keywords can help reduce the likelyhood of something being caught as spam. And get this, one of the keywords mentioned is “XSS” of all things!

Like I said, it sorta makes sense when I started thinking about it. One of the most bizarre phenomenon was one time when I was writing a fairly indepth paper on the large scale effects of the 419 advanced fee fraud (if you don’t know what that is click here). While I was writing the fairly in depth technical explanation I sent it to a few trusted parties who I wanted to get input from. It never got there. It was impossible to get it to them because it kept getting marked as spam! I had to do all sorts of crazy things to disguise it in transit but still make it show up okay on the other end (basically I had to defeat the spam engine itself) but talk about a hassle!

Certain emails have certain characteristics. An email about cooking has the words “pots” and “spices”. An email about XSS has crazy filter evasion, and HTML markup galore. The heuristics of an email about XSS looks an awful lot like someone trying to evade filters and for the spam engine to not mark it as a false positive it has to tune itself looking for particular words that would whitelist an email that otherwise looked obfuscated or otherwise had a very high or alternately very low level of entropy.

Makes perfect sense! I guess the spam engines need some tuning now as XSS isn’t a marker of something particularly good or particularly bad as it turns out. I’ve seen the exact opposite thing happen where services have denied requests that have contained the word “XSS” in them. Talk about poor design - all you have to do is not use that word and you’re back up and running. XSS strikes again, in the most unlikely place!

CAPTCHA Curiosity

Wednesday, September 6th, 2006

Tim Tucker posted an interesting solution to some of the CAPTCHA solving stuff going around. He posted that to comment on his blog you must enter any data, as long as it’s incorrect. So as long as you don’t type in whatever you see and it is six characters long, it will be solved.

As the posted noted, this isn’t particularly good security, as a) it can be broken by anyone who views the site and knows that rule (therefore it’s not good against targeted attacks), and b) if it ever gains popularity it will become standard in splogging software. Still, it’s an interesting take on the same old problem of blog spam.

Building Fake Search Engines to Monetize Redirects

Saturday, August 19th, 2006

I’ve been talking with Jeremiah Grossman about his history revealer a lot over the past few days (I’ll probably talk more about it in some later post), but I started thinking about additional applications for knowing where someone was beyond the obvious stuff. It then occured to me that there is a way that porn sites and other blackhat websites can monetize traffic that they haven’t touched yet, to my knowledge.

There’s a pretty old trick where once the user clicks on a link they are immediately taken to another page. When the user finds that they are on a page that they aren’t interested in they hit back on their browser. When they do that they land back on the page with the redirect and they either get redirected again or to another website. This is a pretty aggrevating user experience that just makes them hit back on their browser twice quickly, use the history drop down or manually type in another website to escape the site. As they do so the malicious website looses that user - probably forever.

It just occured to me that there is a better way to monetize that traffic based on two factors that are known. The first is where the user is coming from. Thankfully most browsers send referrers. If you know the referrer of a search engine you can tell exactly what they were looking for and what all the other links on that page are. Stay with me.

When the user clicks back on their browser, instead of blindly sending them off into redirect land which is a highly frustrating experience, why not serve them up a page that looks exactly like what they would expect to see by hitting back on their browser? How does that help? Well if you can completely re-create the page that the user expected to see, you can change all the links on the page to things you own, with the possible exception of the previously viewed links (which you can know using Jeremiah’s trick). You can then hijack the rest of the links with JavaScript onclick events or just serve them up completely different links - either way. Instant page rank, without even trying!

Now the user gets the search experience they would expect but now you completely control everything the user will find upon searching and clicking. I bet more often than not the user won’t even notice they aren’t on the search engine website because they will be served up an exact replica. Without looking at the URL they will still be convinced because it looks exactly like the last page they were on, complete with the search results and the viewed links.

Of course if you do this you are risking getting lawyers all over you for trademark infringement blah blah, but I’m not sure most blackhats care about that kind of thing - if they can be located anyway.

Image Leaching Just Got A New Tool

Thursday, August 17th, 2006

Welp, I finally had it. Someone was using my stupid redirect finder for too long. I closed down access to the cgi logging portion for about a month, I explained it on the blog post for anyone who was interested and STILL I was getting spam in my logs. You’d think I would have built some failsafe into my own GreaseMonkey script to automatically shut it off, but no, I had to be secure, and make it completely invulerable to outside influence. I’m such an ass sometimes! The problem is it was spamming my logs like crazy. And yes, I can grep -v but I really don’t want to have to do that. I’d rather people just not spam my damned logs when I turn off access to the script anyway. So I had to think of a new way to get rid of that crap from my logs forever.

First we have to consider exactly what that tool was doing. Everytime it saw a potential redirect hole it queried an image on my server (which was really a CGI script). That script then logs the information for eventual retrieval (primarily for use in blackhat SEO actually, but also redirects are useful for spam and phishing attacks as well). Anyway, so it doesn’t do much. It doesn’t even display the image, so I can’t even put a goatse or tubgirl (hmmm, I wonder how many times I can throw those two terms into this post?) picture on every page they visit or anything. Time to think outside of the box, as I would imagine goatse or tubgirl might do.

A day or so later I was surfing around on, no, not for goatse or tubgirl, but rather my own damned site and I came across the solution: a popup! Why not hijack their computer with a mailto: popup every time they visit my page? Oh, it’s so simple I could have kicked myself for not thinking of it a month earlier - I’m feeling like goatse or tubgirl probably do right about now - all used up. Here’s the script:

print “Location: mailto:Dude, remove redirect from Greasemonkey already, I shut that crap down a month ago, email h\ if you have questions\n\n”;

Yes, and just like that, poof! Almost all the traffic died down immediately. I guess people don’t like it when you force outlook or thunderbird to open on nearly every page view, just like people don’t like goatse or tubgirl. Go figure. But then I started thinking about it and there are other applications beyond a goatse or tubgirl substitute. One thing I’ve noticed is that lots of sites pull my favicon.ico file when linking to me. Most of them restrain the size so I can’t scar their website with the images of goatse or tubgirl so I’m left with little options. But what if I just want to let the user know, “Hey, guess what, stop stealing my bandwidth from your feed reader and download the picture already!” Not that they could do much about it on most systems since the user who will see it will have had nothing to do with it, but it sure would wake them up in a hurry.

Total goatse and tubgirl count, including this sentance? 8 times. I rule.