Unsolicited electronic messages, known as SPAM, are nowadays one of the main threats on the Internet. However and despite the impact typically associated
with unwanted electronic messages improper and unauthorized use of resources, there are several other situations that escalate SPAM impact. This happens,
mainly due to the fact that SPAM is a recurring mean for other types of attack such as Phishing and Malware dissemination.
There are mechanisms that filter these messages, decreasing the user awareness of the frequency and type of this kind of communication. This is a reality that the end user doesn't approach too often because there are control and protection mechanisms designed to detect this kind of messages. However these mechanisms are liable to fail and therefore Dognædis believes that end-user awareness and good judgment are the main tools "to fight this war". Experience shows that being critic and aware is tremendously helpful to protect the user from typical SPAM attacks since he is the last and probably more effective barrier. Baring this in mind Dognædis decided to conduct a SPAM attack experiment as a tool for raising awareness. This test consisted of sending 60.000 electronic messages similar to SPAM messages. The target audience was both he public and private sector and domestic users. As for the domestic users 2 profiles were set: regular and users with knowledge on data security.
The following report specifies the type of strategies used and its results. It should be underlined that the whole study (concept proof) was conducted under the art.22º do Decreto-lei n.º 7/2004 (Portuguese SPAM Law).
In order to perform the test it was used an email server to send the messages, a web server to host the HTML pages and images, a domain for the whole
setup and finally 3 types of messages with different levels of credibility were assembled.
The goal for the three scenarios was to measure the different level of liability from the recipients in each context.
A curious characteristic of this setup it's definitely its cost. The entire setup cost around 50€, this value should be kept in mind during the appreciation of the final results. Furthermore, this cost only existed to place study in total compliance with the current law in force.
The techniques for gathering the email addresses, the messages that were sent as well as the means to identify those communications are detailed below for statistic purposes.
To collect the email addresses there were created "crawlers" to search a wide range of Portuguese internet pages to be afterwards used as targets. The analyses of the gathered email addresses shows that:
3 different types of messages were created as it follows:
Subject: Innovative poll system shows smashing defeat for the central parties
Taking advantage of the near Mayor Office elections, Dognaedi's researchers created an email claiming to have a new survey techniques that shows a massive defeat of the more conservative parties in the upcoming election.
This message was based on a HTML body where the only component was an external image located on the test server. If the image wasn't loaded a link to the website was displayed. Whether the user clicked on the image or link he was redirected to website.
Figure 2 represents the picture on the email.
Subject: Snowden case traced back to Portugal
This email, recreated a breaking new from a fake Online news agency, claiming that Edward Snowded had documents that contained information about Portugal.
Subject: Portuguese and Angolan Universities create an active ingredient as a direct competitor of the blue pill
Unlike the previous messages, this email didn't contain any external content. This message was based on plain text that described the news of 2 universities having created a new medicine competing with the famous "blue pill" (Viagra reference). It was also displayed a link were the reader could find more information.
On figure 4 its visible the sent email message.
Each message contained an unique identifier that allowed to identify not only the message but also the recipients' group in order to determine if the liability is higher on certain population groups.
The main risk behaviours focused on this study are:
The following charts were prepared based in the analysis of the results. Those results were divided by each of the scenarios created with different email messages.
The chart in figure 5 represents the relevant data of this scenario.
In the first bar it is possible to observe that the sent rent is about 66% (although there is no known methodology to confirm if an email has been received by its recipient). This means that it was just possible to deliver email to two thirds of the sample targets. This result is due to two main factors: some of the emails were deleted hence it was not possible to deliver email to them and some of the target domains limit rated the number of messages from our sender domain.
From this initial number we know that around 6% of the targets loaded the image into their email client, 7% from the total sample went to the website (we guess that they tried to obtain more information). From the entire sample just 1% removed their address from the alleged distribution list. Despite this result it is important to stress that 5% of sample visited the email removal page, which means that just 12% of those visitors has effectively unsubscribed from the list.
The access distribution by sector is shown in the image. Although it may seem as a fair distribution it is important to remember that the sample distribution was not equal, which means that there is no proportionality between the results. So it is possible to conclude that the 25% observed in the public sector is a bigger reason for concern than the same percentage in the domestic sector (with no security awareness), since this last profile had a bigger representation on the study sample.
In the following image it is possible to examine all the relevant data from this scenario.
It is possible to observe that the "success" of remote image loading was high, but the same did not happened with site visits. This may be explained by the fact that the news agency that issued this email did not exist, which may affected the reliability of the message and discouraged people to follow the link.
This was the message investigators were more confident that would be ignored by the targets, for two main reasons:
The figure 9 shows the total count of the really sent emails and the number of access generated in each one of the scenarios., either
it was a external image load or a website access (both for obtaining more information or removing the email).
The graphic clearly shows the different results obtained in each one of the scenarios created by the different email messages.
Relying on the results from this study, it is safe to say that the Portuguese population is still prone to SPAM attacks, since the global access rate
in this study is in range of satisfactory results for email marketing campaigns (advertising electronic messages), whose success rates are within 5
to 10 %.
It is also important not to neglect the results obtained in the 3rd Message scenario, which shows that there is awareness to these problem, specially on more common techniques.
Taking into account the methodology (complying with the law) it is important to refer that the in vigour legislation does not address the problem in a suitable way, in fact it may help attackers to specifically target their attack. The main example is the op-out methodology enforced by the law. This mechanism may allow an hypothetical attacker to fine tune the attack just for valid, or even more important, in use email addresses. A list with these kind of validation is much more valuable in the black market than a simple email list.
One of the other conclusions it was possible to get from this simulation is the cost associated to this attack. The following, illegal, techniques would allow an attacker to increase his target base as well as keeping a low cost attack setup:
As a way of contributing to these problem Dognædis would like to stress out the following three ideas: