Gallery

Webmail: the ugly truth

Posted on 6 May 2008 at 12:32

When it comes to free webmail services like Gmail, Davey Winder is more than a little concerned by how little attention people seem to be giving to security.

Webmail spam reaches new highs and lows

Everyone finds webmail convenient and efficient, which sadly includes the spamming fraternity, too. MessageLabs suggests that between February and March 2008 there was a whopping 100% rise in the amount of spam coming into Gmail accounts, for example, with 4.6% of all spam traffic now originating from one web-based email service or other. Gmail might have doubled the volume of spam arriving from its users in recent months, but Yahoo Mail still has it beat with - according to the MessageLabs research - a staggering 88.7% of all webmail spam coming from its users. Much of this would appear to be due to the increasing success with which organised spam gangs can now defeat the default CAPTCHA security screens, presented when you open a new account to exclude robots. It doesn't seem to matter any longer whether these are of the "mechanical turk" or algorithmic varieties, the spammers are managing to get past them with sufficient success to be able to generate the new accounts they need to maintain the junk mail flow.

Once past these defences, more and more spammers now use an autoresponder approach to defeat spam-blocking systems and fool the human eye. It isn't quite yet a case of sending a message that says "John Smith is out of the office right now, but please read this spam while you're waiting for him to return", but it might just be in the near future. McAfee Avert Labs has told me that increasingly spammers are using the "out of office" autoresponder functionality provided by the likes of Gmail to distribute their messages. It's very logical really: if you happen to send an email to one of these accounts it will auto-respond with spam instead of an out-of-office posting, and although it relies on getting the users to send email to that address in the first place, there are plenty of social engineering tricks that can fool you into doing just that. One McAfee antispam engineer reckons the recent increase in the volume of spam being sent via legitimate webmail systems is at least in part down to this autoresponder phenomenon. He told me that he suspects that the spammers' software is automatically creating accounts and setting their responder text, with little or no manual intervention required.

Moo

As if all that weren't bad enough, I can't end the column this month without mentioning the Cult of the Dead Cow. This notorious hacker collective has for many years been using a tool it invented called Goolag Scan, which allows quick access to numerous Google searches for server login and credit card data, but the trouble is that it's now released the tool for anyone to use.

Anyone can already make the kind of advanced Google search required to dig up unsecured data of this nature without using Dead Cow's tool, although I don't intend to reveal the secrets of how to do so here. The point is that it has taken a certain amount of determination to research such custom search techniques up until now, but with the release of Goolag Scan some 1,500 customised search routines are automatically accessible to anyone who downloads and installs a piece of software. The argument put forward by the Cow boys is that it will set people thinking about web-based security of their online data more seriously, but that's a nefarious evasion in my opinion, a bit like releasing the hounds to make people aware that dogs can bite. That said, if you don't start looking to protect your actual data pages as well as the gateway-accessible data itself, those pages will remain at risk of becoming visible to tools like Goolag Scan and the creepy people who use them.

Download a year of Davey Winder's Online Security columns by heading to our Free Downloads site