Spammer tricks: link shenanigans
- TAGS:amirseries_spamtricks, e-mail, email, enterprise, reputation, security, spam, spammer, spammers, URL
- IT TOPICS:Cybercrime & Hacking, Data Center, Enterprise Apps, Government & Regulation, Internet, Networking, Security, Security Hardware & Software
In the next two weeks' Security Levity, I want to cover some more tricks that spammers employ to avoid spam filters. This time: messing around with the embedded web links in their messages.
Most spam filters include a link detection component. This could be based on a simple URIBL (Uniform Request Indicator Block List), or use a more sophisticated web reputation service.
That's important because most spam needs to contain a link: spammers want users to click through to their sites to buy fake pills, infect your PC with malware, or enter your online banking password. So finding known-spammy links is a great way to detect spam.
Spammers have many ways to try and avoid link detection. Here are just three of their tricks:
Breaking into trusted sites
Spammers hack into trusted sites and add hidden redirection code into a new or existing page on the site. So the spam message contains a trusted link, but the page itself redirects to the spam/porn/malware site, or causes a popup window containing the spammed site.
For example, www.example.com is a well-established, widely-trusted site. Web reputation databases agree that links to this site are perfectly acceptable in email. However, our spammer discovers that the site's version of Apache has a known vulnerability, allowing him to break in and add redirection code. He then sends spam, linking users to www.example.com/.ed/pills.html, which redirects to the spammer's site. Because the link is trusted, the spam filters don't suspect a problem.
Bulk misuse of link shorteners
Spammers create shortener redirections on sites such as tinyurl.com or bit.ly, redirecting to the spammy site. They then send the links in their spam email. They'll often cycle through hundreds or thousands of these short links, trying to fool spam filters that try to keep track of those links (naturally, the better filters follow the links, and discover that they're all pointing to the same or similar pages).
For example, our spammer creates a short link at tinyurl.com/amirlev1, making it redirect to his spammy site. He sends a few spam messages using this link, but not too many to look suspicious. He then creates a similar short link at tinyurl.com/amirlev2, sending some more spam messages using that, and so on.
DNS delaying tactics
Spammers send the link to their site but ensure the DNS for the domain will not resolve during the spam sending campaign. Only later -- once the spam messages have passed the filters -- do they publish the DNS records, so end users will see the site when they click on the link in the spam. Typically, spammers will target users in particular timezones, sending the spam during their night. They'll have a few hours to send the attack before users wake up and read their email.
For example, the spammer owns the domain example.biz. He creates a virtual site for pills1.example.biz but doesn't publish any DNS information for it yet. He sends spam email to users in the Americas between 2-4am Pacific. During the time that the spam is hitting the filters, there's no actual site that can trigger a block. He later switches on the DNS records, before the users wake up. As soon as he does this, the links in the spam email will work.
FAQ: Is the sky falling?
Of course not. Though spammers' tricks continue to get cleverer, spam filter technologists are smart cookies, too...
Â
Next week, I'll talk about how spammers try to misuse the spam filters themselves, in order to get delivered to the inbox.
Â
When he's not analyzing spammers' tricks, Amir Lev is the CTO, President, and co-founder of Commtouch (NASDAQ:CTCH), an e-mail and Web defense technology provider. MORE...
Free Insider Guide