No, I Will Not Forward Your Spam

An interesting social engineering attack to get helpful users forwarding spam ito mailboxes that would otherwise reject it.

It should come as little surprise, when you think about it, that the To address of an email has absolutely nothing to do with who it gets delievered to.

We see cases like this all the time in terms of getting a blind carbon copied email in which our username doesn’t appear in the headers at all, and we also see this when we subscribe to newsletters, which also don’t reveal our name. In fact, sometimes we see people having fun with this and sending email to you addressing it as funnynickname@yourdomain.com. Lots of your existing spam isn’t going to your username either, if you’ve noticed.

To and Cc are just headers squirted onto the email for our readability, and have nothing to do with the delivery mechanism of email. Point proven.

Spammers comb our emails from a number of places, mostly the web and newgroups, but sometimes from those chain letters and surveys your friends forward all over the place.

Many of us have a number of spam filters in place to ditch stuff that comes from unreliable sources.

And sometimes we also have special white-list rules to let our friends send us things that normally would never be able to make it into our mailboxes.

Well, here’s another social engineering trick you need to be aware of, especially if you’re sharing a resource such as a company server.

A spammer may pick up two email address bob@somewhere.com and alice@somewhere.com. Let’s say Bob has a spam filter, but Alice isn’t as tech savvy.

In order to reach Bob, the spammer makes it look like he’s made an addressing mistake. He writes a message with a To address of bob@somewhere.com but deliberately sends it to alice@somewhere.com.

What happens?

Alice who’s got no spam filter to catch the message, receives it. She sees a message in her inbox to bob, thinks that somehow the computer got it “wrong” and that she got Bob’ email by mistake, and forwards it to him out of kindess.

Meanwhile, Bob, who trusts all intra-company email receives Alice’s forwarded message, and now has spam (or a virus) sitting in his mailbox.

The bottom line is this: think before you forward.