thewatertower.org.uk

Use 'bcc' when you mail a bunch of people

A colleague at work who specialises in risk and security mailed me a number of months ago about a gaping opportunity he could see that was yet to be exploited by spammers, phishers, and other online confidence tricksters.

Lets look at an example. In recent weeks (July 2007) I've noticed an increase (from zero) in spam emails claiming to be online postcards / e-cards.

From: "FunnyPostcard.Com" madeupemail@example.com
To: myemailaddress
Subject: You've received an ecard from a School friend!

Hi. School friend has sent you an ecard.
See your card as often as you wish during the next 15 days.

SEEING YOUR CARD

If your email software creates links to Web pages, click on your
card's direct www address below while you are connected to the Internet:

http:// ... (an IP address, usually an broadband subscriber, plus a random letter string)

Or copy and paste it into your browser's "Location" box (where Internet
addresses go).

We hope you enjoy your awesome card.

Wishing you the best,
Mail Delivery System,
FunnyPostcard.Com

I've seen a number of variations .. 'from a Family member! .. dgreetings.com'

The first one I recieved said 'Your family member has sent you an ecard ..' which immediately rang alarm bells for me.

Amongst other issues, obviously over-analysed with hindsight, that I can see: no greetings card company would every anonymise the sender like that, what's the point, and why would they have asked the sender for their relationship with me?

Its these sorts of inconsistencies which should stop a reasonable number of recipients from taking an email like that seriously.

But what if it said 'Dave Smith has sent you and ecard .. click on this link.' What if I knew Dave Smith. And the email appeared to have been sent by him, or included his email address?

That'd be pretty convicing, and I might click on the link.

How spammers might learn about your friends and associates

How would they know that I knew Dave Smith, and his email address? Well, what if they got hold of an email that was sent to both of us, along with a bunch of other people, then they can guess that we know each other. If Dave Smith sent the email, and I was one of the recipients, then that works even better.

Or .. if we both signed one of those 'send to everyone you know' good cause email petitions.

There have already been email viruses that were capable of making use of what they found in your email client. For a while, viruses such as 'Klez' were quite prolific, albeit using Microsoft Outlook only.

SUMMARY
The w32.klez.e@mm virus, also known as the "Klez" virus, is a mass mailing e-mail worm that copies itself to network shares and distributes itself to all of the Address Book entries on the affected computer's Outlook Address Book.

Microsoft - The w32.klez.e@mm "Klez" virus in Outlook 2000

I don't think its impossible, therefore, to exploit current or future bugs in the likes of Outlook to harvest emails.

Conclusions / recommendations

  • If you're going to forward a mail to a load of people you know, blind copy them.

  • When forwarding mail, limit the exposure of any mailing lists further down the thread, and delete them.

  • Don't sign email petitions.

Printed and hosted by Prater Raines Ltd, 98 Sandgate High Street, Folkestone CT20 3BY.
Published and promoted by Ben Prescott, 14, St James's Square, Bournemouth, BH5 2BX. All rights reserved.
The views expressed are solely those of the author, not of the service provider.