Friday, March 31, 2006

Beware of a new form of SPAM greetings

Just yesterday I was going through an article which shows ways by which spammers try to evade bayesian filters to get into your inbox. Today I got a first hand experience of another new way of getting into the inbox by fooling the spam filters. I got a mail from greetings@reply.yahoo.com and if you look carefully this is just one of the email address which Yahoo! will not filter and the mail lands into your inbox. This mail is sent by Yahoo! Greetings so there is nothing to suspect. The DomainKey-Signature also points to Yahoo! Greetings so there is little to suspect in there.

Received: (qmail 14714 invoked from network); 30 Mar 2006 21:08:14 -0000
Received: from pre-smtp05-02.secureserver.net (HELO pre-smtp05-02.prod.mesa1.secureserver.net) ([64.202.166.15])
(envelope-sender )
by smtp03-01.prod.mesa1.secureserver.net (qmail-ldap-1.03) with SMTP
for <*****@yahoo.com>; 30 Mar 2006 21:08:14 -0000
Received: (qmail 957 invoked from network); 30 Mar 2006 21:08:14 -0000
Received: from unknown (HELO n30a.bullet.scd.yahoo.com) ([209.73.160.88])
(envelope-sender )
by pre-smtp05-02.prod.mesa1.secureserver.net (qmail-ldap-1.03) with SMTP
for <*****@yahoo.com>; 30 Mar 2006 21:08:13 -0000
Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=gcom1024; d=yahoo.com;
b=T3S7EetKgarz3oqISx7o81d04bWE3pSCjlhR/rymRp3TLcqTHOsvHZtLFMNcsTbV6TooBNE8zRwzPP6z0CqHriAgOPG5Izd+0j/rBu3Bh7hHje0er7KIgaVRJ2TUf0NoLPRqZFq5zmkQoRYuKQ1Eomch1W8m42T4eb0H3Yxo+L4=;
Received: from [66.218.69.3] by n30.bullet.scd.yahoo.com with NNFMP; 30 Mar 2006 21:08:12 -0000
X-yahoo-newman-property: greetings
X-yahoo-newman-id: null
Received: from [66.163.186.252] by t3.bullet.scd.yahoo.com with NNFMP; 30 Mar 2006 21:08:12 -0000
Received: from [127.0.0.1] by web8.greet.sc5.yahoo.com with NNFMP; 30 Mar 2006 21:08:12 -0000
Received: from [59.114.214.185] by web8.greet.sc5.yahoo.com; Fri, 31 Mar 2006 05:08:12 +0800
Date: Fri, 31 Mar 2006 05:08:12 +0800
From: greetings@reply.yahoo.com
Errors-To: greetings@reply.yahoo.com
Reply-To: alice99785412@hotmail.com
To: donate@viamatic.com
Subject: ªüªÚ ¦b "Yahoo!©_¼¯¶P¥d" ¬D¤F¤@±i¥d¤ù±Hµ¹§A¡A§Ö¬Ý³á¡I
X-Nonspam: None

"ªüªÚ" (alice99785412@hotmail.com)¦b "Yahoo!©_¼¯¶P¥d" ¿ï¤F¤@±i¥d¤ù±Hµ¹§A³á¡I

¥d¤ù»â¨ú¿ìªk¡G

½ÐÂI¿ï¥H¤Uºô§}«e©¹¦¬¨ú(30¤Ñ¤º¦³®Ä)¡C

http://tw.view.greetings.yahoo.com/greet/view?7FNQ948STKCXR

¦pªGµLªk³sµ²¡A½Ð¨ì http://tw.view.greetings.yahoo.com/pickup ¡A¨Ã±N¤U­±ªº¥N½X½Æ»s«á¶K¦bªÅ®æ¸Ì¡G

7FNQ948STKCXR

¯¬§A¦¬¥d´r§Ö¡I

Yahoo!©_¼¯¶P¥d»s§@¤p²Õ

-------------------------
"Yahoo!©_¼¯¶P¥d" ¥d¤ùºØÃþ»ô¥þ¡A±i¼Æ¶W¦h¡I §Ö¨ì http://tw.greetings.yahoo.com/ ¬D±i¥d¤ù±Hµ¹¿ËªB¦n¤Í§a¡I


So far so good. There is nothing to suspect in there. Since I could not understand much I opened the link and since it points to http://greetings.yahoo.com/ there was little to suspect. I opened the greeting card and there I saw nice little advertisments in the greeting card. It was in the extra message space that the greeting card companies provide.

The question on your mind would be how its different from normal spam. Firstly this mail will not be filtered using normal spam filters and it will land inside your inbox. Secondly if you open the card like I did, you have verified your email address with the spammer. Its like using web beacons without actually using them and the greeting card companies are helping the spammer here. If you remember there is a feature most greeting companies have that informs the sender when a greeting card is opened. And since I opened it they have an email address that has been verified.

So the next time you get a greeting card from an unknown person and even if the email is in your inbox do not open it.

Technorati Tags: ,

No comments: