The Anti-virus Times

Thursday, February 9, 2017

In the issue "We can only warn you", we already discussed how site owners and those who compile lists of non-recommended sites could have different views as to what constitutes malicious content. To understand why this is, let's see how a site can end up on this kind of list.

Let's assume that a certain site is involved in spamming activities. Here, we’re not going to consider the possibility that the site’s owners are deliberately doing this (although spammers claim they’re not violating the law, most users disagree), and we are also going to assume that the spamming is happening through no fault of the owners. A site can get involved in spamming activities when:

1. It has been compromised, its routines have been altered, or special scripts have been deployed on the server. Perhaps, the most obvious option: the quite logical thing to do would be to block access to the compromised site until the issue is resolved. The only problem with this is that the site’s owners can quickly fix the problem and start claiming that it never existed.

2. Email accounts compromised due to a lack of verification routines for user-created passwords, or the existence of flaws in the default security settings. This is a more difficult case. Ideally, only addresses related to the compromised email accounts should be blacklisted, but adding several million addresses to the list per week (we all know about leaked mail databases) would bloat it to unimaginable proportions. That's why blocking access to a site and adding trusted addresses to a whitelist is a reasonable solution if multiple security breaches have occurred since analysts checking the site can't determine which email accounts have been compromised.
3. Email account passwords have been leaked. This incident is similar to the previous one. Blocking the site and adding trusted addresses to the whitelist is the most logical step.
4. A lack of experience or errors made during the site’s development can enable perpetrators to use a feedback form that doesn't feature CAPTCHA verification to send out emails. This incident is similar to the previous one, but here it’s easier to prove that a problem exists because it is obvious.
5. Another error in site development can allow perpetrators to register a large number of accounts which will result in bulk messages being sent out to a large number of users who have supposedly registered on the site.
6. Exploit site routines to send notifications. For example, attackers can use mail server delivery-failure notifications like Non-Delivery Report (NDR), Delivery Status Notification (DSN), Non-Delivery Notification (NDN), and bounce messages. They alter sender addresses to make sure that bounce messages are sent to specific addresses.

The Dr.Web anti-spam filters out technical spam, including bounce messages, automatically. Find out more at http://products.drweb.com/antispam.

7. Forward received messages. OpenRelay is the most tempting morsel for spammers. The feature used to be legally available to everyone, but thanks to spammers abusing it, it’s fallen out of use. Nowadays relaying messages without authorisation is considered to be a configuration flaw caused by site administrator negligence. In such cases, sites definitively end up on blacklists.

We can keep enumerating situations for you, and we haven’t examined the more unusual situations when attackers compromise servers that relay emails and spoof messages.

As you can see, many reasons exist as to why sites can get involved in sending out spam, ranging from vulnerabilities in the sites' code to flaws in their configuration. Unfortunately, most mistakes play into attackers' hands.