[Ecommerce] Spam throws on a disguise

[James Love]

http://news.com.com/2100-1023-881979.html
Spam throws on a disguise


By Stefanie Olsen
Staff Writer, CNET News.com
April 12, 2002, 12:50 PM PT


Spam's newest pitches are coming to you courtesy of friends and
co-workers--or so it might seem.
In one of the latest marketing gimmicks circulating the Net, the sender
comes disguised as a corporate network administrator with the subject
line: "Your mailbox is over its size limit." Once opened, however, the
e-mail's message lewdly invites the recipient to view adult material.

Such spam tricks are designed to make spam harder to ignore--an
increasingly difficult task with skeptical consumers battling e-mail
overload. As a result, commercial messages with familiar-looking origins
and subject lines are becoming the norm.

"This is extremely common now," said Steve Linford, who maintains a
London-based blacklist of mass e-mailers called the Spamhaus Block List.
Spammers are attempting to seem familiar "because so many people are
getting suspicious about the e-mail they get because they're getting
flooded with spam."

Junk-mail senders are turning to new come-ons as consumers increasingly
skip over messages with anonymous subject lines such as "Hi, remember
me" or "Here's the information you requested." But even people on high
spam alert find it difficult to slough off messages that appear to come
from the sales or support staff at the recipient's own company.

So how do spammers create such a realistic facade? They typically use
software designed to carry out forgeries, filling false information such
as name and e-mail address into the sender's mail client with each new
attack. The software can be rigged to use the same e-mail address to
send and receive a piece of junk--making it more common to view junk
that appears to originate from you. It can also be used to hijack
corporate domains such as cnet.com, a tactic aimed at convincing
recipients that an e-mail comes from a trusted source.

The method addresses two problems for the spammer. First, the spoofed
address allows the e-mail to get by corporate filters that seek to
identify and block spam. Second, the message will more likely get opened
by an employee who thinks it's from a co-worker.

Still, people can fight back. Linford said that in some states, such as
California or Washington, deceptive spam is illegal, giving residents
the right to take junk mailers to court. Most anti-spam laws prohibit
mail with misleading subject lines and headers. In California, the
penalty for deceptive spam is $500 per mailing.

 The most difficult part of making such a case may be simply identifying
the sender. Linford said that about 100 spammers produce nearly 90
percent of the junk mail sent today, but disguised addresses and other
tactics make it difficult to link one of those spammers to a particular
piece of mail.

Dan Birchall, executive director of advocacy group the SpamCon
Foundation, suggests that recipients contact their Internet service
provider to see if it is using proper filters to help stop the
forgeries.

"You have to be a little bit skeptical," Birchall said.