We all know the word spamming and without any discrimination, we all hate it a lot. it happens when senders blast out unwanted emails for selling products and service we don’t want at a price we won’t pay from suppliers we’ll never trust them at all.
And the word spam has provided us some relevant terms such as SPIM for spam via quick messaging; SPIT for spam via internet telephony – robocalls and fake tech help scams, for instance; and SPEWS, which is our tongue-in-cheek call for spam through electronic web submissions.
SPEWS has usually known two main methods:
- Crooks use bulk HTTP posting features to fill out online comment forms on forums and blogs. The concept is to sneak past spam screens or harried referees to get free advertisement, promotional stuff and false endorsements posted and publicly visible, at least until they’re informed and removed
- Crooks use reporting or interaction forms to send phishing messages into your company. The concept is to fake the form handling system into producing an internal email from content that came from outside, thereby avoiding some or all of the spam filtering that usually other external emails would usually experience
The cybersecurity professionals from Russian at Russian outfit Dr.Web newly recalled us all of a third way that crooks can use SPEWS to do their dirty work.
They observed spamtrap emails that basically came from sincere company senders, but with poisoned web links in the welcoming party.
Instead of stating, Hi, Mr. Ducklin, as you might imagine from a sincere email from a responsible reputation, they stated something more along the lines of Hi, MONEY FOR YOU! [weblink here], but with a legitimate-looking correspondent.
Indeed, going into depth the emails presented not only that the sender was genuine but also that the email did originate from a server you’d imagine – there was no correspondent spoofing going on.
(Spoofing is where the crooks purposely put a virus name in the From field, so at first look, the email looks to come from somewhere you trust.)
How it creates problems for you
Whatever the crooks are performing is subscribing to official business mailing lists but putting in other people’s email addresses so that the sufferers get a signup message, even though they didn’t sign up themselves.
Unluckily, the crooks are hurting a built-in mailing list security functions – one that’s been de rigueur in most of the world for some time, if not essentially need by law – that sends a one-off authorization email before actually triggering a mailing list subscription.
This security function is often mentioned to as double opt-in – you usually will not receive any email until you put in your address (opt-in #1), and then you usually not receive anything but an authorization message until you answer to or click a link in that message (opt-in #2).
Double opt-in is referred to prevent other people signing you up, either over accident or malevolence, but it does say that someone with access to the sign-up form can take a legitimate organization to send you a one-shot email from one of its genuine servers.
To a crook, that looks like a challenge, not just a thought – a real email server that can be mechanically or semi-automatically triggered to send a message to anyone else’s email address.
In several scenarios, signup emails are not exciting and boring – they don’t want to be appealing or attractive, after all, because they’re meant to be simple authorizations of a select you have already done.
But some organizations can’t resist providing the glitzy marketing action even to their mailing list authorizations, filling them with logos, clickable links, appealing offers and all the other COOL THINGS YOU WILL ENJOY as long as you truly do complete your signup. Hence at every stage, you have to be careful all the time.