Social engineering and the redefinition of spam

Let’s start off with the definition of spam according to Wikipedia:

E-mail spam, also known as junk e-mail, is a subset of spam that involves nearly identical messages sent to numerous recipients by e-mail. A common synonym for spam is unsolicited bulk e-mail (UBE). Definitions of spam usually include the aspects that email is unsolicited and sent in bulk.

The keywords here are: “identical messages”, “unsolicited bulk email”. What if you manage to simulate that the users have requested the spams by subscribing their email addresses to an email list and automatically approve their membership?

Usually, when someone subscribes to a list, an email is sent to the subscriber to ask him/her to validate the submission of the email address to the list. Make something to skip this step and you have the perfect form of spamming.

01-membership

Send them an email as this one and you might be surprised to see how many are curious enough to check what does the membership mean. If the user clicks the link, he is prompted to login or register in order to see what this is all about.

But – why register? The address is already registered. The user only has to click on “Forgot password” to receive the password.

02-signup

If the amount of users which recover the password is not big enough, then make them even more curious by sending them a message:

03-comment2

If still not enough curious people have recovered their password, send them a password reset notification. They are registered after all!

04-passreset

If this still doesn’t work, then just keep spamming them every day until they get their password and try to cancel the membership.

This method of creating a list on a reputable server for social networking like ning.com is not new. All renowned sites are getting abused to send spam: LinkedIn, Orkut, Twitter, live.com, and so on. This technique is very effective. The email is 100% valid and cannot be simply marked as spam because the server has a good reputation.

The From field is not a real person but an automated bot running on the server (mail@<list>.ning.com). In order to subscribe to a list hosted on ning.com one needs an account registered at ning.com. This means that our spam trap was automatically subscribed to ning.com without having to confirm the account. There is, of course, the possibility that the account was hacked and somebody was actually able to confirm the subscription in our account. But this is very unlikely.

In order to check this, I have actually retrieved the password from ning.com and set a new one.

05-leave

Immediately after this, I tried to leave the group for which the account was automatically subscribed. It wasn’t possible though. Of course, I will try again in the next few days. If it still won’t work, I will contact ning.com to see what’s going on. So this article ends with “to be continued…”.

Sorin Mustaca
Manager International Software Development