Gmail, Yahoo and Hotmail systematically abused by spammers
Summary: With the industry's eyes constantly monitoring the usual suspects' use of phony hosting providers, another market segment within the underground marketplace has been developing beneath the radar, aiming to build a malicious infrastructure (Spammers targeting Bebo, generate thousands of bogus accounts; Malware and spam attacks exploiting Picasa and ImageShack) through efficient CAPTCHA recognition.
With the industry's eyes constantly monitoring the usual suspects' use of phony hosting providers, another market segment within the underground marketplace has been developing beneath the radar, aiming to build a malicious infrastructure (Spammers targeting Bebo, generate thousands of bogus accounts; Malware and spam attacks exploiting Picasa and ImageShack) through efficient CAPTCHA recognition.
The latest MessageLabs Intelligence annual report for 2008 indicates that on average, 12 percent of the spam volume that they were monitoring in 2008 came from legitimate email providers such as Gmail, Yahoo Mail and Hotmail, followed by its September's peak of 25%. Earlier this year, more vendors emphasized on this ongoing development, citing machine learning CAPTCHA breaking techniques as the cause of it. In reality though, the very same humans that CAPTCHA was meant to identify continue undermining it as an anti-bot registration measure.
Researching the market segment throughout the year (Microsoft's CAPTCHA successfully broken; Gmail, Yahoo and Hotmail's CAPTCHA broken by spammers; Spam coming from free email providers increasing; Spammers attacking Microsoft's CAPTCHA -- again; Inside India's CAPTCHA solving economy) it's time to assess the current situation and speculate on the upcoming efficiency model.
"In 2008, spammers developed an affinity for spamming from large, reputable web-based email and application services by defeating CAPTCHA (Completely Automated Public Turing Test to tell Computers and Humans Apart) techniques to generate massive numbers of personal accounts from these services. In January, 6.5 percent of spam originated from these hosted webmail accounts, peaking in September when 25 percent of spam originated from these sources, averaging about 12 percent for the remainder of the year."
Three of the most popular free email providers continue being systematically abused by cybercriminals so efficiently, that they often top the charts (Gmail; Yahoo; Microsoft) of major anti-spam organizations such as Spamhaus. Despite that the affected companies are aware of this ongoing abuse, some of their mail servers have such a bad reputation due to the outgoing spam that it would be hard not to assume that sent email may not be reaching its destination. Moreover, BorderWare's ReputationAuthority.org also comes handy when assessing the reputation of Gmail, Yahoo Mail and Hotmail. Who's got the worst reputation varies, but for the time being, Microsoft's web properties appear to be ahead of Gmail and Yahoo's.
Is the supply of pre-registered accounts at these services driving the market, or is the customer's demand that's actually driving it? Whatever the case, supply is pretty efficient for the time being. For instance, I'm currently monitoring several web based bogus account registration services, with an average price for a thousand accounts at any of these email providers of $10. That's right, for $10 a spammer could get his hands on a thousand pre-registered email accounts if we are to exclude the discounts offered for a bulk purchase. And whereas I still haven't been able to establish a relationship between these services and Indian CAPTCHA breakers, theoretically, the supply of bogus accounts offered by a Russian service could be in fact outsourced as registration process to human CAPTCHA breakers, and the service itself acting as an intermediary. Whether it's the use of malware infected hosts, or through human CAPTCHA solvers, the hundreds of thousands of accounts offered for sale remain there.
Let's talk about efficiency. A research paper entitled "Exploiting the Trust Hierarchy among Email Systems" released earlier this year, and surprisingly receiving zero media attention, shows a proof of concept allowing the researchers to not only bypass Gmail's messages limit for bulk messages, but also, abuse Gmail's email forwarding function in order to successfully deliver emails classified as spam by relaying them through white listed Gmail servers -- now DomainKeys empowered :
"The presented vulnerability enables an attacker to bypass blacklist/whitelist based email filters and freely forge all fields in an email message by having Google’s SMTP servers tricked into behaving like open SMTP relays. We were able to confirm that this vulnerability is indeed exploitable by assembling a proof of concept (PoC) attack that allowed us to use one single Gmail account to send bulk messages to more than 4,000 email targets (which surpasses Gmail’s 500 messages limit for bulk messages). Although we have limited the number of messages in our example to 4,000+, no counter measures took place that would have prevented us from sending more messages, and for that matter sending an unlimited number of messages."
What this means is that the potential spamming speed achieved through a single automatically registered Gmail account could be greatly increased. From another perspective, a bogus account wasn't worth as much as it is worth today, since it allows automatic access to all of the company's web properties allowing spammers and cybercriminals (Cybercriminals syndicating Google Trends keywords to serve malware) to abuse them even further. CAPTCHA is dead, humans that were supposed to recognize it killed it by starting to recognize it efficiently and monetizing the process.
The bottom line, ask yourself the following - how many incoming anti-spam solutions can you think of right now, and how many outgoing anti-spam solutions are you aware of? Before spam comes it has to go out first.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
I could have told them that for free.
"Atmosphere important to life on Earth"
And they would have ignored you
That's the same as saying
days.
Hint: just because bad people use something doesn't
make it useless.
Like I keep saying...
It is time they were held accountable. 100% accountable. Whoever is providing the pipes these companies are using needs to step in and enforce the policies that everyone else has to live by. NOW!!!
These companies are Microsoft and Google
Mandate change to MIME/SMTP
All of this spam will go away if and when everyone uses PGP encryption. Think of it as being a VPN for email.
Making email conform to PGP,GnuPG has a few good side effects.
1) Sender/Receiver are 'known' (signed certificates)
2) The MIME format message header 'sender' cannot be tampered with
3) Encryption provides needed privacy. All current emails are sent as 'clear text' and readable by anyone along the intermediaries that serve as Mail Transfer Agents.
4) Spam bots cannot tamper with your private signed certificate, so if ISPs check the message header for a valid certificate, non-conforming emails can be shunted in accordance with mandated policy guidelines.
All of the SPAM goes away because it CAN'T ride on a clear text channel anymore. Get it? OK!
In a similar vein, Zero Day Folks know DNS needs to be protected, thus DNSSec is being seriously considered for implementation. Once in place DNS spoofing cannot occur.
I wrote about this the other day [url=http://talkback.zdnet.com/5208-12691-0.html?forumID=1&threadID=55213&messageID=1044199]here[/url]
Some related articles for your consideration:
o [url=http://www.dtschmitz.com/dts/2008/08/pgp-empowerment-and-your-privacy.html]PGP: Empowerment and Your Privacy[/url]
o [url=http://www.dtschmitz.com/dts/2008/11/still-sending-naked-email-get-your-protection-here.html]Still sending naked email? Get your protection here[/url]
More than ever, we have to take ACTION to implement privacy protection measures. It is your right Folks!
Would you send a letter without an envelope? Think about it.
Thank you.
Dietrich T. Schmitz
Linux IT Consultant
PGP is all very well Dietrich
However when I looked at using PGP some time ago it did not appear to be easy to understand, set up and do.
Maybe Joe Public would find it too technical?
I'll reserve my current opinion until I give PGP email another go.
Edit: As a starter I'll have a look at the link you posted http://www.dtschmitz.com/dts/2008/11/still-sending-naked-email-get-your-protection-here.html
Thanks.
It can theoretically be implemented in a user friendly way
I have thought about doing something similar myself, but I discovered to my dismay that in order to create an Outlook extension, I need Visual Studio Professional, but I only have Visual Studio Standard.
If I can obtain Visual Studio Professional somehow, I would be open to the idea of creating something with similar functionality as my next project. At the moment, I do not have the cash on hand to upgrade to Professional.
Establish a Mandate 'with incentives'
A well-developed Mandate should consider impact on industry and individual compliance cost with offsets to that cost in the form of tax writeoffs or some other means of compensation.
When it becomes a 'fact of life' and everyone knows it must be done, then an industry ecosystem will develop around providing assistance and software development geared toward making compliance as transparent a process as possible.
This type of change doesn't require a change to infrastructure--it is more software driven than anything else.
The MIME format for email doesn't change--just how it is enclosed changes--encryption with signed certificates.
Thanks
Agreed.
Unfortunately, some people are stuck being convinced that shutting down port 25 is the solution, and ignore how useful encryption and digital signatures are. I'm not one of those people, but I've talked to some of them, and they are providing a real barrier to implementing such a solution on a large scale.
If you have any advice for talking some sense into such people, I'm open to ideas.
Impunity
Making use of PGP, GnuPG signed keys on the email's originating machine effectively puts a lock on the MIME message format which defeats a spambot's ability to manipulate the sending address field.
Any 'non-conforming' MIME message when tested just gets handled/shunted according to Mandated guidelines.
Very close to what Ive been saying for years
1. NO HTML allowed in the To:, From: and Subject lines.
2. Eliminate the CC option. Only BCC.
3. Email can only be sent from where it came from.
4. Create a blacklist of known offenders that updates weekly. Of course, there are legitimate "spammers" that aren't really spammers, but, those who have been flagged as spam, because people dont always know the difference between spam and email theyve signed up for. So people can opt to add certain emails to a whitelist.
5. Eliminate Fwd possibilities. Lets face it, those fwds used to be cute. Now? Theyre old, tiresome, and annoying. And, so many use the CC, which opens people's email addresses to anyone and everyone.
6. All email providers and email software companies need to get on the same page here.
These are merely a few ideas I have been suggesting for years.
#3 especially
[b]AGREED.[/b]
No more of this "the SMTP server sends the email on behalf of the user" idiocy.
The identity should be established at the endpoints, using digital signatures and encryption.
Definitely
Thinking to self, outloud for all to hear. I wonder what would happen if we sued the email companies who sue the spammers.
Of course, they'd have to collect first. But, if they sue the spammers and win, should we then win partial judgement too?
Known sender
Verifying the sender will alleviate the problem somewhat.
The current specifications are incomplete.
I carried out research in the not so distant past where I replied to spam with the text "Yes, this sounds great, tell me more."
Without exception, every single one 'bounced'
The email system/specification should do that test first then fake/falsified addresses would be eliminated.
spam then could only come from legitimate accounts which could then be advised.
The trick here is to keep it simple.
Instead, I've seen the internet browser/HTML standard go from a simple and noble venture into an extremely complex system with lots of clever little ways to hide malicious programs, algorithms, routine and whatnot all to screw with me and you!
Left to me in charge, there would be no spam.
To date no one has asked me how.
Conclusion
There's lots of spam about because we want it & we like it.
Government Does Not Want Mandate!
Govt can and does routinely intercept and crack encrypted emails...
But that isn't the point.
Enclosing the clear text message in GnuPG effectively places a lock on the sender address and THAT categorically puts the spammers [b]out of business.[/b]
Spammers ARE a National Security Risk and as such the Govt should welcome such a Mandate to protect its citizenry.
Thanks for replying here and at my [url=http://www.dtschmitz.com/dts/2008/08/pgp-empowerment-and-your-privacy.html#comment-119]website[/url].
Dietrich T. Schmitz
Linux IT Consultant
huge fines
But then again spam is there because idiots are still allowed to own a computer (and have money). In 2008 how can someone be stupid enouch to beleive in Penis pills or trust a mortage company that Spam?
Speaking Of Huge
Hi there!
best prices for impotence drug$!
Best regards.
democracy demands debate, flash in the pan
Just find the individuals who are doing this crap and fire them out of a cannon.