Tech Bitch

Adding another trick to their toolkit, spammers are now abusing the ‘out of office’ feature of Web-based e-mail services to relay their junk messages into the inboxes of unsuspecting Internet users. I can’t believe it has taken so long. Anti-virus boffins have recently seen several instances where spammers set up Web-based e-mail accounts and configure auto responders with spammy messages. The miscreants then sent e-mail with fake ‘from’ addresses - the spam targets - to their newly created Web-mail accounts. The ‘from’ addresses subsequently receive the spammy ‘out of office’ notices.

This may sound like a convoluted way to send spam, but spammers do it to trick spam filters. An automatic reply from a well-known Web-based e-mail service will look legitimate to many spam filtering tools. Unlike spam sent by botnets, the auto reply spam will have a legitimate sender and will be signed with the correct signatures used to sign e-mail messages, such as DKIM, DomainKey or Sender ID.

One spammer seen using this technique is advertising an adult Web site - no surprises here! The auto-responder spam does not look like a typical out of office reply. The message subject does always contain ‘Re:’ because that’s added by the Web mail service, but the spammer controls the rest of the subject line and the message body text. In the examples a popular anti-virus manufacturer could only determine that the mail is an auto responder by carefully looking at the e-mail headers.

I suspect the spammer has a program that automatically creates accounts and sets the responder text, all with no manual work required. This gives the spammer the capability to have lots of Web-mail accounts, all used to spam lots of people. All is not lost: the spam should be blocked by a decent anti-spam product through a combination of header and message content checks.