Spam Opt-out Link Triggers Malicious Code Attack
Maestro4k writes "The Register is reporting on a new spam E-mail circulating out there. In it, clicking on the 'Click here to remove' link launches a site, that when the user scrolls the page, triggers a drag-drop javascript exploit. Scarily the E-mail actually complies with the CAN-SPAM act as it only requires spammers to put an opt-out link in their mailings. As The Reg says "It comes as little surprise that this feature is been taken advantage of in a social engineering exploit; but it does illustrate the security problems of the opt-out approach that were always apparent to security experts - and ignored by legislators." The link in questions points to www. xcelent.biz (As in The Reg story, space intentionally included) so even if you can't block the mail yet it should be easy to block access to the site with the exploit. I suspect this is just the beginning and most spam will include "features" such as this in the near future."
I realize that another spammer will take advantadge of the hole next week but if the hosters were blacklisted from DNS servers, the offending files might get removed a little faster.
Agile Artisans
There's nothing legal about this.
It's not specifically illegal under the CAN-SPAM act, but it's just as illegal as any other exploit, trojan or worm.
I don't need no instructions to know how to rock!!!!
Seriously.
It's not like spammers are a class of people to be trusted. I always felt the opt-out requirement was joke and prime for abuse. By opting out, you are telling the spammer that you read every email that comes your way and they add it to their list of email addresses that actually respond to spam.
So what do they do with this list? If they follow the letter of the law, they will stop spamming - but, they have a list of high quality email IDs that they can sell to other spammers.
Users should always follow these simple instructions with regards to email spam:
1. Make sure you have an incoming mail spam filter, like SpamAsassin.
2. Delete any spam that gets through.
3. If you are interested in the product, do not contact the email (spam) source, reply to the email, click on "helpful" buttons. Find reputable mainstream vendors - if it's great then Wal-Mart, Best Buy, Circuit City, etc. will stock it.
myke
Mimetics Inc. Twitter
it is a site worthy of a good slashdotting, if just to keep the unwary from reaching it.
It's all fun and games until someone loses the key to the handcuffs.
The government could crack down on most spam sources anytime they feel like taking the problem seriously. With all the business, tax code, interstate commerce, and other regulations on the books already, any spammer is bound to be violating a bunch of existing laws. And since many spamvertized products and services are fraudulent or blatantly illegal, simply prosecuting with traditional laws would be adequate.
If the IRS started auditing every known spammer with operations or residence in the United States, that would have a very chilling effect on spam. I'd bet my life savings that spammers don't report all of their income for tax purposes. If other countries then followed suit, spam would be relegated to the far corners of the world and easily firewalled.