The Gmail spam trap

29 Jul 2010
Spam folder

Spammers are making their messages look like Gmail to try and fool filters

A security trends report I read recently suggests that spammers are now employing techniques that make it look as though their messages have originated from Gmail accounts, either by using actual compromised accounts or just by knocking up a template that copies the message style used by this service.

Commtouch Labs reckons that somewhere between 5% and 10% of all spam by volume is now designed to give the impression of coming from Gmail – but why bother doing this, you may be wondering?

Spammers have been spurred on to this new trend in deceptive legitimisation of their output

Well, it all comes down to what I call “deceptive legitimacy”. Global spam volumes are running as high as 200 billion messages per day, depending upon whose statistics you believe, and according to the eSoft Threat Center stats, some 70% of those messages can be accounted for by just one category: pharmacy spam.

Most of these are messages from fake pharmacy sites that try to sell you fake drugs (or else to just rip off your credit card number with no intention of selling you anything at all). The trouble is that we’ve all become rather immune to spam, almost to the point where it appears to have vanished from our view.

In truth this is just a magic trick performed by our email clients, which nowadays employ server-side filtering tools or standalone antispam filters to make sure we never see the stuff. The real volume of spam being pushed around the internet, and which costs our ISPs a small fortune in wasted bandwidth, certainly isn’t shrinking: an average of 305,000 new spam zombies are being activated every day just to support the malicious activity that leads to spam.

It’s as a consequence of this magic trick that makes us end users so much less likely to see spam, that the spammers have been spurred on to this new trend in deceptive legitimisation of their output. They absolutely have to find increasingly ingenious methods to circumvent the filters and get their obnoxious messages in front of our eyes, because if they don’t they’ll go out of business. We can but dream.

So now spam output is legitimised by sending it from compromised real email and social networking accounts. Many of us tell our email clients not to treat messages from certain trusted senders as spam under any circumstances, since we don’t want to miss out on important communications from business colleagues or friends. It’s quite common practice to simply exclude all messages coming from anyone who’s in your contacts list from the spam-filtering process, which is why compromised accounts are so sought after.

Get your hands on one of these lists and recipients on that list are almost certain to read your message, because they’ve become conditioned to trust that such contacts aren’t spammers. All the more reason to value your login data, dear reader, and that goes for social networks and forums as well as mail.

Direct messaging spam is on the increase and is another trend the spammers are exploiting. Even when your account hasn’t been compromised, the most savvy spammers are now applying a deceptive legitimacy approach by using Gmail, Facebook and PayPal templates among others to make messages appear, at first glance, to be something they’re not. Those elements within the text that look most “spammy” and “phishy” when subjected to a closer examination are now played down in an effort to circumvent filters.

Read more