Could Fake Phishing Emails Help Fight Spam?

Glyn Moody writes "Apparently, the US Department of Justice has been sending out hoax emails to test the security awareness of its staff. How about applying a similar strategy to tackling spam among ordinary users? If fake spam messages offering all the usual benefits, and employing all the usual tricks, were sent out by national security agencies around the world, it would select precisely the people who tend to respond to spam. The agencies could then contact them from a suitably important-looking government address, warning about what could have happened. Some might become more cautious as a result, others will not. But again, it is precisely the latter who are more likely to respond to further fake spam messages in the future, allowing the process to be repeated as often as necessary. The system would be cheap to run — spam is very efficient — and could use the latest spam as templates."

Been there done that.

[Lumpy]

I did that back in 2001 to the sales force at Comcast. we in the IT department formed and sent a email with a exe file payload. when ran it reported back to us who opened it and pooped up a message on their screen that said, "IF I WAS A REAL VIRUS ALL YOUR FILES WOULD BE DELETED"

we sent it from outside the company with a yahoo.com address

85% opened and ran the attachment. we used this as a part of our It education to our users. after the classes that month we repeated it 45 days later.

we had a 90% opening rate this time. you really can not teach the users. Most people who are not IT professionals dont care. If they hose their own computer they dont have to fix it, you do.

The only effective thing would be to actually delete all the users files and never give them back. Humans only really learn from cause and effect. Simulations rarely teach them.

Re:Seriously?

[characterZer0]

Can you come up with a protocol that will not allow a zombie box to, as you say, authenticate properly?

Re:Been there done that.

[u38cg]

There was also that university that sent all their students an email to warn them about phishing. Included in the email was a typical phishing text, along with comments on style and grammer. I think the guy that sent it out got something like forty or fifty usernames and passwords back.

Re:Seriously?

[oldspewey]

There are advantages to thinking of (and addressing) spam as a social problem rather than a technological problem. For starters, treating it as a technological problem leads to an arms race mentality in which spammers are continually driven to "outsmart" technological safeguards as they are developed.

Personally, I have no problem with an approach in which "purchasers" (in other words, anybody who responds to spam in any way) are exposed and educated by any means necessary ... with education consisting of an escalating series of measures until the recipients finally comprehend just how fucking stupid their actions were.

Re:actually, this works fairly well.

[socsoc]

Really? Sounds ridiculous to me. It's difficult enough to convince people that your work e-mail is for work related matters... I don't need management asking me to sent out a phish attempt to the staff as a test.

Re:Seriously?

[Chyeld]

So your arguement is basicly "The current system sucks, therefore no system will work!"?

Self identification might help zombies

[goombah99]

The "good" spam is sort of like a public education campaign about STDs. It's part of a well rounded solution in raising public awareness. Your's may not need raising but you will benefit if the awareness of others' is raised so put up with it.

Now then there's the post infection detection problem. We could take a simmilar approach of turning a bad thing to our advantage. Presumably these Zombie bots try to hit a series of predefined URLS to announce their availability. Once some of those are known, when not sieze them and use them to get infected computers to self-identify then notify the owners or if unresponsive their ISPs?

That would not cure all infection. But there is a well known principal in medial virus infection called the R-factor and that is the minimum number of infections needed in a population before the disease becomes self sustaining or growing in infections. We don't have to eliminate all zombies before we reach a point where the infection rate is highly damped.

Re:Seriously?

[moteyalpha]

That is definitely a solution and it is just __scary__ what my customers will do. I have considered training them to use encrypted email and there is a learning issue there. They will not learn how to use it as it is irritating to them and consumes their time. They will simply ignore me and hire somebody that will not bother them about security, even though they are exposing information about others.
Private customers are even worse, their computer skill level is so low that it is impossible to communicate the fact that they __personally__ must do something and there is no widget solution.
As far as the government doing this, it just makes matters worse. Soon the spammers will mimic the official documents and as a final step will tell the consumer to install pwn_my_Machine.exe to solve all their problems.

Infotainment

[freedumb2000]

If anyone really, the media (TV, print ect.) should step in and educate. I bet if Regis did a bit on some common sense ways to spot and avoid spam and phishing, that I am sure would go a long way to educate the average joe/mom about the dangers. Or a 60 minutes on Spam. A bit on MSNBC. I column in a monthly rag. In my experience people are very curious and/or afraid of getting infected or spammed and enjoy any helpful information that they can put to use right away to protect themselfs.

The Government ain't your daddy.

[thecoolbean]

the LAST thing any of us want is for the
bureaucracies to be responsible for what e-mail we receive and what e-mail we do not. If people cannot be trouble to acquire or hire the expertise necessary to reduce spam, then let them eat spam. People have the right to pursue happiness, bear arms, to assemble and to worship. They also have the right to be cold, hungry, homeless sick and dead.

And to have their inboxes stuffed with spam.

Re:Seriously?

[bruunb]

Well either sign/encrypt the message with the receivers key or just make the SMTP protocol fetch the mail from the MX server that is says it comes from, this will make sure that approx. 90% of all spam will never reach you inbox since they need to have a valid MX record for the mail to orriginate from.

To day the SMTP protocol goes like this:

userA@sub1.example.com sends a mail from a spoofing SMTP server at some arbitrary IP address to someuser@sub2.example.com, the sub2 SMTP server receives everything from SMTP server from the IP address, "thinking" it is from SMTP at sub1 and puts it in the inbox of someuser@sub2.example.com.

If it was "reverse"-SMTP then it would be like this:

The spoofing SMTP sever at some IP sends a mail for userA@sub1.example.com to someuser@sub2.example.com.
The SMTP server at sub2 gets the inital handshake from the spoofing SMPT IP server and then, according to the senders email address eg. the "From:" tag, contacts the MX SMTP server for that email address to fetch the actual mail.
Since the SMTP server for sub1 does not have the mail that is being sent by the spoofing SMTP server, the SMTP transaction is dropped and the mail never reaches the inbox of someuser@sub2.example.com.

Simple solution to a major problem. No valid MX record for the spoofed email disables the spammer from sending a spoofed email.

It will make it easier to track down spammers since they need an actual domain with an MX record, but it does not, however, solve the problem with fake domain registrations for MX records or hacked DNS records (I'm thinking demographic information (name, address, contact information etc.) But as I understand then work is in progress to make this better... or perhaps not, might just be a dream I had :-)

Forbidden in Austria

[I)_MaLaClYpSe_(I]

I once wanted to do such a thing for my employer: sending out fake "Enter your login credentials here to win xxx" emails to our staff and invite those that responded with submitting their true credentials to security awareness trainings. However, it turned out that this would have been a violation of privacy rights here in Austria, Europe.

The employer could have been able to discriminate people for falling for the scam and thus it is illegal for my company to do such a thing.

Re:Forbidden in Austria

[I)_MaLaClYpSe_(I]

Yup, idiots are kind of protected here. We have comparable strong laws protecting the privacy of the workplace, especially when it could be used against a worker. Like, video surveillance is not allowed to be used for evaluating things like when a worker makes a break or similar. Therefore, if the employer wants to access their own video surveillance tapes, he has to specify the exact reason, exact camera and a narrow timeframe and the "Betriebsrat" (workers' council) has to be involved in order to protect the privacy of individual workers shown and in order to oversee the employers actions.

Re:Been there done that.

[Lumpy]

actually that DOES work. we had a problem with users surfing to inappropriate sites.

I wrote a few linux scripts that displayed on the big 42" plasma in the office the images that were being surfed and the user-name attached to it I sniffed out of the IP traffic. correlating the user-name ot the IP of the machine requesting the image was actually easy.

It was only up for 1 week. Office websurfing went down 95%.

Re:Been there done that.

[Gnavpot]

85% opened and ran the attachment. we used this as a part of our It education to our users.

after the classes that month we repeated it 45 days later. we had a 90% opening rate this time.

you really can not teach the users.

Yes you can. You taught one third of the remaining 15% that these messages are harmless service bulletins from the IT department - not the dangerous mails they originally thought.

Re:Self identification might help zombies

[goombah99]

Presumably these Zombie bots try to hit a series of predefined URLS to announce their availability.

Relatively simple bots access a few URLs or an IRC channel, but many are more sophisticated than that these days, unfortunately. One strategy is to have a complex URL generator that deterministically spews out a couple of hundred http://fri4eie943kejkz.com/ [fri4eie943kejkz.com] garbage addresses per day, the botnet herder need only register one of them to deliver updates etc. Of course the algorithm can be reversed by sufficiently good analysts, so the next level up is for the botnet to form its own p2p network. Some of these are advanced, fully distributed systems employing encryption, automatic command and control failover (no central point of failure), "fast flux" DNS to present a constantly moving target etc. They are basically impossible to shut down, even if the legal will to do so across borders existed.

Exactly. So if you have a bot in captivity you see what addresses of the day it is going to.

Any computer that visits one of these gets flagged as infected.

No uninfected computer would visit any of them let alone all of them.

You could even push this up a level and simply looks for large numbers of DNS requests by different computers for the same invalid addresses. one could imagine that a mispublished URL could get a lot of legitimate computers making a bugus DNS request but if unrelated computers make the same 100 requests it seems pretty clear you could flag this.