Whitewashed Spam – How Antispam Laws Are Helping Spammers

Contributor: Binny Kuriakose

Anonymity disguised as freedom of expression and lack of clear cut laws makes cyberspace murky from a security point of view. Countries are waking up and realizing that there is a need for laws which enable authorities to catch and punish cyberspace miscreants; however, these miscreants are very crafty.

Spammers are known to use ingenious methods to peddle spam and lately they have even begun using antispam laws themselves in an effort to spearhead spam attacks. This blog is not about analyzing the effectiveness of antispam laws; it is about how spammers are quoting the laws in emails in order to make the spam look legitimate.

There are some “grey area” emails, which fall somewhere between spam and legitimate mail, and sometimes there can be something very inconspicuous in the mail that can tip the balance in the mind of a recipient. Quoting antispam law in the body of the email and claiming that the email adheres to the law is proving to be a popular technique when it comes to painting “grey area” spam white.

CAN-SPAM Act - Public Law No. 108-187 (USA - English)

The sample in Figure 1 claims to be adhering to the conditions set by the CAN-SPAM Act, which is the antispam law in the USA. The mail has a disclaimer section at the end which explains the law.


Figure 1. Spam sample with antispam law quoted in the body

How is this spam?

What is transgressed here is that, the option given by the spammer to ‘opt-out’ is bogus. He merely slides you out of one mailing list and inserts you into another. In all such spam instances the spammer gives the quote and the ‘unsubscribe’ or ‘opt-out’ so convincingly that the victim falls for it.

Other laws which are most commonly seen ‘misused’ in spam

  1. MURK - Bill S.1618 Title III (U.S.A - English)

    By far the most misused legal reference by any scale is Bill S.1618 Title III of the United States, which goes by the alias MURK. Although it did concern spamming, the Bill DID NOT BECOME A LAW in USA since it did not pass both the houses.  So any mail which says it is compliant to Bill S.1618 Title III should be put under scrutiny as you are staring at a lie right there. Spam mails quoting this bill were seen from 1998 when this Bill was presented.


    Figure 2. Disclaimer in spam quoting Bill S.1618 Title III

    Something which is more disturbing is that the spammers actually take it as far as threatening the readers, using this quote.


    Figure 3. Bill S.1618 quoted in a threatening manner

    However, this drama has spilled beyond the shores of United States. This quote is also seen in other language spam, like Portuguese and Spanish.


    Figure 4. Disclaimer in a Spanish spam quoting Bill S.1618 Title III

  1. Habeas data - Law No. 25, 326 Art. 27 Inc. 3 (Argentina - Spanish and Portuguese)

    Habeas Data is a law which lays guidelines for commercial emails in Argentina. This law like most other laws in this league is to empower a user to demand that his details should be removed from a database.

    It is seen quoted in Spanish and Portuguese spam email campaigns where the opt-out option is manipulated to make it look legit. The fact remains that the opt-out options are bogus and they do not help the victims from getting more spam.


    Figure 5. Disclaimer in a spam mail quoting Habeas data law

  1. Law No. 28493 / 29246 / D. S. 031-2005-MTC (Peru - Spanish)

    This Law No. 28493 / 29246 / D. S. 031-2005-MTC is a law in Peru, which has Spanish as its language. The Spanish mails from even other countries are seen displaying this law and claiming legitimacy by this law. This sample is seen giving an unsubscribe option by sending a reply to a webmail.


    Figure 6. Disclaimer in a spam mail quoting Peruvian Law No. 28493 / 29246

  1. Déclaration CNIL n°1291376 and Déclaration CNIL n°1181416 (France - French)

    Two French legislations regulating commercial mailings are seen displayed in spam, which does not give a proper opt-out option to customer. The opt-out link usually redirected to another webpage showing a message that the user’s details are removed. But in reality the opt-out does not happen.


    Figure 7. Disclaimer in a spam mail quoting French CNIL No 1291376


From these it is strikingly obvious that spammers are trying to whitewash their spam, using the laws conveniently to create an aura of fake legitimacy. The recipients unfortunately are falling victims to this.

Many countries have recognized the right of individuals to unsubscribe from any communication and the right to demand the removal of their personal information from any database. But these instances expose that a strong law regarding opt-in to a list is equally important along with the law for opt-out, since the spammers can slide you into a new mailing list after you unsubscribe from one. End users should be aware of what rights the anti-spam laws grants to every individual.

Is Your Web Host Keeping PHP Up to Date?

When it comes to keeping your website secure your web host should be the least of your worries. These are technology companies, sometimes rather large, whose focus is on websites. You would think that they would be better at handling website security than anyone other security professionals. Unfortunately we often find that they are not. As just one example, last year we discussed the fact that Media Temple was incorrectly blaming a hack of websites hosted by them on their customers running outdated software on their websites, while they themselves were running outdated software on their website. Over a year later they are still are not bothering to take the basic step of keeping software running on their website up to date:

Media Temple's Sytem Status Website is Running WordPress 3.3.2

Trying to access the security of web hosts is difficult because much of the information needed to do that assessment is only available to them. There are some things that you can check on and one of those is whether they are keeping the version of PHP on the server hosting your website up to date. If you are using WordPress, Joomla, Drupal, or a lot of other web software then you are using PHP and it is important to keep that up to date, as a hacked website we cleaned up this week shows.

One of the basic steps of cleaning up a hacked website is determining how it was hacked and then fixing the vulnerability so that the website doesn’t get hacked again (unfortunately, many companies that clean up hacked websites cut corners and don’t do this). In reviewing the log files for the website in question we traced the original exploitation to this line in the website’s access log: – - [16/Apr/2013:19:18:32 -0400] “POST /?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input HTTP/1.1″ 200 68

What that shows is that a vulnerability in PHP versions prior to 5.3.13 and 5.4.3 was attempting to be exploited. Unfortunately the website in question was running an older vulnerable version of PHP and was configured in a way that made it susceptible to the vulnerability. If PHP had been kept up to date the website would not have been hacked.

The PHP developers fairly regularly release new versions that fix security vulnerabilities in the software. The most recent releases with security fixes were versions 5.3.23 and 5.4.13, released in March. Unfortunately, we often find that our client’s web hosts are not keeping PHP up to date. If your web host isn’t keeping PHP updated you probably should move to a web host that takes such basic security seriously.

If you are wondering what version of PHP your web host is using for your website there are a number of ways to find that out. The least technical way to do that is to contact their customer support and ask them what version of PHP in use. It would also be good to ask them what their upgrade policy is for PHP and other software powering the web server, to make sure that they properly handling that. You can sometimes find the PHP version in use in the control panel for your website or the administrative area of the website. You can also use a tool we have created that allows you to check the version of various software running the server your website is on.


Downloader.Liftoh Cousin to W32.Phopifas?

Downloader.Liftoh is a Trojan horse detected by Symantec that downloads malware onto the compromised computer without the user noticing.

A new variant of this threat, discovered in early May, was identified in some Spanish-speaking countries in Latin America. This variant of Downloader.Liftoh sends messages in Spanish instead of English. The threat is similar to W32.Phopifas which we wrote about in our blog from October 2012.

The creators of Downloader.Liftoh use Skype, which is popular in Latin America, as well as other instant messaging applications to distribute the malware:

  1. The victim receives a message from someone who seems to be on their contact list. The message says, “esta es una foto muy amable de tu parte,” or “jaja, esta foto extraña de tu perfil,” or some similar message to entice the victim to click on a provided link. The link is from one of several URL shortener services, including goo.gl, url9.de, fur.ly, bit.ly, and is.gd.
    Figure 1.
    Malicious Skype message
  2. If the victim clicks on the shortened URL, they are redirected to a URL on the 4shared.com website.
  3. Once on the 4shared.com website, the victim is prompted to download a .zip file that contains Downloader.Liftoh disguised as a legitimate instant messaging file.
  4. If the victim unzips the file, they will find an .exe file inside.
  5. If the victim executes that .exe file, Downloader.Liftoh will have successfully compromised the computer.

Symantec has observed 171,553 clicks that this attack has received recently through Google’s URL shortener which the cybercriminals use in their campaign.


Figure 2. Downloader.Liftoh has 171,553 global clicks since May 20


Figure 3. Downloader.Liftoh Latin American click rate distribution

There are no geographic boundaries for malware distribution. Attackers only need to change malware code to a different language to find new computers to compromise. To protect yourself, Symantec recommends having up to date and comprehensive security solutions that include antispam and antivirus protections to prevent the compromise of personal computers and networks. It is also recommended that users not click on suspicious links or open any unusual files—even if they are sent from a known contact.

Rise in URL Spam

Symantec is observing an increase in spam containing URLs. On May 16, URL spam volume increased by 12% from 84% to 96% and since then the URL spam volume fluctuated between 95% and 99%. That means 95% of the spam messages delivered during this period has one or more URLs in it.


Figure 1. URL spam message volume

During this period, .ru was the most used top-level domain (TLD). As illustrated in Figure 2, it is interesting to note a drop in .ru spam and a simultaneous rise in .com and .pw spam. Over 73% of the URL spam contained the .ru, .com, or .pw TLDs.


Figure 2. Top 3 TLDs distribution (last seven days)


Table 1. Spam volume of top 5 TLDs that contributed to total URL spam

We are observing an increasing use of shortened URLs and free Web domains with the .ru TLD. The spam examples seen are mainly hit-and-run (a.k.a. snowshoe) spam. The call to action URL in the spam message leads to fake offers or online pharmacy stores.

Below are the Subject lines that may be seen in spam emails.

  • Subject: Ends Today! Buy One, Get One Free
  • Subject: 48 Hours Only | Free Shipping!
  • Subject: Are you dreaming about good health?
  • Subject: Satisfy your girl fully
  • Subject: Win your lady's addiction
  • Subject: Present your women real care
  • Subject: You need Ukrainian woman with beautiful eyes that are ready to talk to private theme?


Figure 3. URL spam message

This sudden rise in URL spam volume was seen in December 2012 and January this year when holiday season spam and year-end spam was on the rise. Symantec will continue to monitor this uptick in spam containing URLs and will keep our customers protected with additional filters to block these attacks.