It seems like spammers are now moving to automated spam via popular web mail services as a way to bypass IP-blacklisting services.
It’s a large advantage for them as they can still use botnet sources to generate the e-mail but the source IP address will be from a ‘trusted’ domain such as Gmail or Yahoo!.
The growing abuse of webmail services to send spam has led anti-spam services to throttle messages from Gmail and Yahoo!
Over recent months security firms have reported that the Windows Live CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) used by Hotmail, and the equivalent system at Gmail, have been broken by automated attacks.
CAPTCHAs typically help ensure that online accounts can’t be created until a user correctly identifies letters depicted in an image. The tactic is designed to frustrate the use of automated sign-up tools by spammers and other miscreants.
Obtaining a working Gmail account has a number of advantages for spammers. As well as gaining access to Google’s services in general, spammers receive an address whose domain is highly unlikely to be blacklisted, helping them defeat one aspect of anti-spam defences. Gmail also has the benefit of being free to use.
I think we are only going to see the percentages go up as spammers find it’s more effective to send their junk from web based email services. Now they can ship out the CAPTCHA breaking to sweatshops in India for peanuts, it’s a good solution to a lot of the problems they face when sending bulk mail.
An analysis of spam trends in February 2008 (the last available monthly figures) by MessageLabs revealed that 4.6 per cent of all spam originates from web mail-based services.
The proportion of spam from Gmail increased two-fold from 1.3 per cent in January to 2.6 per cent in February, most of which spamvertised skin-flick websites. Yahoo! Mail was the most abused web mail service, responsible for sending 88.7 per cent of all web mail-based spam.
It was first thought that automated tools were used by spammers to defeat security checks and establish webmail accounts that might later be abused to send junk. More organisations are coming around to the theory, first floated by Brad Taylor, a Google software engineer, that bots are signing-up for accounts before sending the puzzles to real people.
It costs them as little as $4 a day to hire someone to break CAPTCHAs from the webmail sites. It’s a known fact they are making huge amounts of money so this is a small payout for them to ensure more mail gets past traditional spam filters.
Source: The Register
- Rowhammer – DDR3 Exploit – What You Need To Know
- Santoku Linux – Mobile Forensics, Malware Analysis, and App Security Testing LiveCD
- Google Expands Pwnium Year Round With Infinite Bounty
- Google Fixes Serious Vulnerability in Gmail
- NDR or Backscatter Spam – How Non Delivery Reports Become a Nuisance
- China Outlaws Private E-mail Servers
Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 229,567 views
- AJAX: Is your application secure enough? - 119,408 views
- eEye Launches 0-Day Exploit Tracker - 85,198 views