Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spam Opt-out Link Triggers Malicious Code Attack

Posted by timothy on from the how-totally-amazing dept.

Maestro4k writes "The Register is reporting on a new spam E-mail circulating out there. In it, clicking on the 'Click here to remove' link launches a site, that when the user scrolls the page, triggers a drag-drop javascript exploit. Scarily the E-mail actually complies with the CAN-SPAM act as it only requires spammers to put an opt-out link in their mailings. As The Reg says "It comes as little surprise that this feature is been taken advantage of in a social engineering exploit; but it does illustrate the security problems of the opt-out approach that were always apparent to security experts - and ignored by legislators." The link in questions points to www. xcelent.biz (As in The Reg story, space intentionally included) so even if you can't block the mail yet it should be easy to block access to the site with the exploit. I suspect this is just the beginning and most spam will include "features" such as this in the near future."

24 of 327 comments (clear)

  1. More Legislation Needed. by FearTheFrail · · Score: 3, Insightful

    So now that we have a legal, malicious attack, we'll only have to wait a few -more- years for bills to be passed to have the law catch up with some watermark of digital exploitation. Super.

    --
    ___ In the words of Gen. Douglas McArthur: "I'll be right back."
    1. Re:More Legislation Needed. by auzy · · Score: 3, Insightful

      Actually, I think thats the wrong approach. I just think vendors like Microsoft need to take responsibility for the poor security in their products.. Many exploits against windows products for instance were long known to come out before they were released, amongst many others. There was a time when eeye had serious exploits listed that took Microsoft longer then 100 days to fix.

      Also, from past experience, legislation is often abused in computer cases (as demonstrated by people like the RIAA). Personally, its been pretty rare to see decent laws against computer crimes (I haven't heard of any I agree with so far).

      I think the development of sender verification frameworks for Email will also eventually help, provided that MS is willing to accept the open standards for once.

    2. Re:More Legislation Needed. by stratjakt · · Score: 5, Insightful

      There's nothing legal about this.

      It's not specifically illegal under the CAN-SPAM act, but it's just as illegal as any other exploit, trojan or worm.

      --
      I don't need no instructions to know how to rock!!!!
    3. Re:More Legislation Needed. by gcaseye6677 · · Score: 4, Insightful

      The government could crack down on most spam sources anytime they feel like taking the problem seriously. With all the business, tax code, interstate commerce, and other regulations on the books already, any spammer is bound to be violating a bunch of existing laws. And since many spamvertized products and services are fraudulent or blatantly illegal, simply prosecuting with traditional laws would be adequate.

      If the IRS started auditing every known spammer with operations or residence in the United States, that would have a very chilling effect on spam. I'd bet my life savings that spammers don't report all of their income for tax purposes. If other countries then followed suit, spam would be relegated to the far corners of the world and easily firewalled.

    4. Re:More Legislation Needed. by Red+Alastor · · Score: 3, Insightful

      And many situations don't need a completely different law when it happens with computers. A fraud is a fraud no matter what the medium you use is and there is already good laws about it.

      --
      Slashdot anagrams to "Sad Sloth"
    5. Re:More Legislation Needed. by mdfst13 · · Score: 3, Insightful

      "You went to the web page of your own free will, using something known to be bad. Caveat Emptor."

      Obviously people here are aware that the site is bad. However, people who actually get the link in an email would be under the impression that the site is an opt out link. Providing them a virus instead is fraud and illegal.

      If "known to be bad" refers to IE, that doesn't excuse anything. That's like saying that if you forget to lock your door, then it's all right for people to steal your stuff. In reality, it's still just as illegal.

    6. Re:More Legislation Needed. by xouumalperxe · · Score: 2, Insightful

      Oh, they'll agree to the standards alright. and 2 days later they publish the new and improved version of your standard, with super-duper (and highly exploitable) proprietary extensions that mean MS is so much better than the competition. Accepting open standards isn't the problem with MS. It's the staying within them that's the trick

  2. Another good reason... by Three+Headed+Man · · Score: 3, Insightful

    ...to get SpamAssassin.

    --
    I'm probably at the karma cap. Mod up a funny troll instead, it lightens the mood :)
    1. Re:Another good reason... by d_jedi · · Score: 2, Insightful

      Only link I found for this was:
      http://www.openhandhome.com/howtosa300.html

      Which is a pretty fricking long installation procedure.. most likely beyond the capabilities of anyone who would actually be affected by this exploit (ie. people who haven't applied recent patches, who don't have an up-to-date virus scanner, who click on links in spam messages..)

      In particular, even I (and I consider myself quite knowledgeable) had no clue with this step:

      # Critical: Next, find \perl\bin\spamasasssin.bat (it is probably read-only, which will cause you grief in a second), and add at the beginning (well, nearly: right after the @ECHO OFF line.)

      SET RES_NAMESERVERS=ipaddress
      SET LANG=en_US

      Now, for people running their own DNS server, this isn't a big deal.. but for the rest of us..

      --
      I am the maverick of Slashdot
  3. Why is the site still up? by jarich · · Score: 4, Insightful
    The article says they know the name of the website... why is it still there? Why is the EXE still available?

    I realize that another spammer will take advantadge of the hole next week but if the hosters were blacklisted from DNS servers, the offending files might get removed a little faster.

    --
    Agile Artisans
  4. A SPAM opt-out trojan... by nologin · · Score: 2, Insightful
    ... that would turn your machine into a Spambot; now that would be funny. :)

    CAN-SPAM may require an opt-out option in the e-mail to remain legal. However, the legislation DOESN'T protect you from the consequences of using that opt-out option.

    It's legislated social engineering at its finest. Good luck out there.

  5. Not Surprising by Trolling4Dollars · · Score: 2, Insightful

    IT Geeks - 1
    Politicos without "tech savvy" - 0

    This is the way it will always be unfortunately. Unless the whole population eventually can understand all the technical aspects of computers and the internet, or computers and the internet become so rock solid/secure AND easy to use, it will always be this way.

    --
    Un-news
  6. Why is this a surprise? by mykepredko · · Score: 4, Insightful

    Seriously.

    It's not like spammers are a class of people to be trusted. I always felt the opt-out requirement was joke and prime for abuse. By opting out, you are telling the spammer that you read every email that comes your way and they add it to their list of email addresses that actually respond to spam.

    So what do they do with this list? If they follow the letter of the law, they will stop spamming - but, they have a list of high quality email IDs that they can sell to other spammers.

    Users should always follow these simple instructions with regards to email spam:

    1. Make sure you have an incoming mail spam filter, like SpamAsassin.
    2. Delete any spam that gets through.
    3. If you are interested in the product, do not contact the email (spam) source, reply to the email, click on "helpful" buttons. Find reputable mainstream vendors - if it's great then Wal-Mart, Best Buy, Circuit City, etc. will stock it.

    myke

    --
    Mimetics Inc. Twitter
  7. MOD PARENT (with malicious address) DOWN! by kabloom · · Score: 2, Insightful

    This is dangerous stuff. Mod the parent article down (which includes a working link to the malicious address) so that people don't click on it.

    1. Re:MOD PARENT (with malicious address) DOWN! by darc · · Score: 2, Insightful

      Security via obscurity your thing? It makes no sense to hide stuff that can hurt you, rather than to be able to TELL what might. Your ostrich defense isn't very effective.

      --
      Tired of legitimate data sources? Try UNCYCLOPEDIA
  8. But then again . . . by harley_frog · · Score: 5, Insightful

    it is a site worthy of a good slashdotting, if just to keep the unwary from reaching it.

    --
    It's all fun and games until someone loses the key to the handcuffs.
  9. Re:Even better - choose a link with graphics on. by Coward+Anonymous · · Score: 2, Insightful

    Don't forget the good services of SSL.


    You should use https for everything so that you get a b c d


  10. Re:Microsoft says "No Problem" by NineteenSixtyNine · · Score: 0, Insightful

    what kind of ignorant user is going to use a scrollbar an a site they don't trust?

    The same kind that use a browser they can't trust.

    --

    --
    What would Bill Clinton do?
  11. Test new Spamassasin 3.0.0 against this! by Chuck+Bucket · · Score: 2, Insightful

    If SA 3.0 is running with SUBL support, how can we add: www.xcelent.biz to the SUBL list? In that case, SA 3.0 would block this email alltogether. I think this is a killer feature of SA now, and I'm waiting to learn more about it so I can update my current 2.x version running on my home mailserver.

    PCB$@#

    --
    free ipod and free gmail!
  12. Re:send it to the MCSE boys by Maestro4k · · Score: 2, Insightful
    • I just sent a link to that to the MCSE slags at work. How long till they figure out they just got owned.
    I predict about 5 minutes before they call security and 10 minutes before you get to clean out your desk and go home early. :)
  13. Err...no by kolly+kibber · · Score: 2, Insightful
    The requirement is that they have a link to opt out. There is a link to opt out.

    Wow, you mindlessly repeated the mistaken conclusion of the article submitter.

    If the link doesn't allow you to opt out, it's not an opt out link, is it?

    If the law requires that I have a valid licence when driving, is it OK if I call my dog "a valid licence" and have him sit in the back seat? "Everything is in order, officer. I have 'a valid licence' back here..." Just because you call a thing something, doesn't make it that thing.

    --
    With that reward money, I could afford this life-sized chocolate God, filled with an infinite number of smarties.
  14. Re:Can't we just deal with this already by Maestro4k · · Score: 2, Insightful
    • I like a good practical joke as much as the next person. Can we just track down one of these people, drag him/her outside chop them up with bolo knives hunt down their families, rape mutiliate and murder them set fire to their houses, kill their dogs and piss all over the corpses already?

      I figure 10, 20 thousand of these losers tops and the problem will go away.

    While I appreciate the sentiment (personally I'm thinking boiling oil would be appropriate for spammers) I doubt it'd help. Even with the death penalty in the US we still have far far too many murders/rapes/etc. so it doesn't seem to work as a deterrent. All we'd end up with is lots of dead spammers (good) but plenty more rushing to take their places (bad). Just look at the meth problem, last night on the news we heard that the county sheriff in one of the nearby counties ended up busting his wife's cousin for cooking meth. People just get greedy and completely overlook the possible consequences. We're not going to be able to stop these problems with laws or conventional punishments.

    That said we need to find a way to make spam stop paying. If there's no money in it, or it gets to where it's a near certainty you'll lose all you made (and then some) from hefty fines people will move on to something else to try to make a quick buck.

  15. Just forward these e-mails to your legislators ... by smoyer · · Score: 2, Insightful

    asking that they revisit the CAN-SPAM act. When they click the scrollbar in the forwarded message, they'll finally understand why we didn't think the original bill was tough enough.

  16. Huh? by haraldm · · Score: 2, Insightful

    Why anyone would use an e-mail program that allows clicking on something is beyond me. All the comfortable features that come with clickability have their price -- which in in this case is far too high IMHO.

    --
    open (SIG, "</dev/zero"); $sig = <SIG>; close SIG;