Spammers are now capable of sending spam to a recipient using the address of someone that the recipient knows as a sender’s address.
The main objective of a large percentage of viruses found on the Internet is to collect the contents of address books, thereby pairing addresses of people who are acquaintances.
We are therefore starting to see more and more “intelligent” spam, appearing to come from an aquaintance, as in the example below. Such a strategy will become a defacto standard of spammers in the years to come.
A growing number of companies are protected by Antispam solutions that include user-level white lists which can be managed by the users themselves. This strategy will become an Achilles heel in the future, allowing spam to pass directly to the user, circumventing all analysis.
It is essential to be protected by a spam filter that commits few errors, one that combines all available methods other than white lists to avoid false positives. The white list should be used only as a last resort, managed by a product specialist, and in combination with other decisional criteria if possible.
The following example illustrates a spam containing a forged sender’s address, firstname.lastname@example.org, which is found in my address book. This spam was blocked by Mailcleaner, based on a combination of rules (in green).
It would have passed directly through the filter if email@example.com had been in the white list for the mailbox firstname.lastname@example.org.
Received: from smtp.mailcleaner.net ([188.8.131.52] helo=gate1.mailcleaner.net) by mail.belfry.mailcleaner.net with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA:32) (Exim 4.50) id 1K4TPD-00052i-Gu for email@example.com; Fri, 06 Jun 2008 06:18:23 +0200 Received: by gate1.mailcleaner.net stage2 with id 1K4TP7-0003Pa-1U for <firstname.lastname@example.org> Fri, 06 Jun 2008 06:18:17 +0200 Received: from [184.108.40.206] (helo=220.127.116.11) by gate1.mailcleaner.net stage1 with smtp with id 1K4TP5-0003PB-Na for <email@example.com> from <firstname.lastname@example.org>; Fri, 06 Jun 2008 06:18:10 +0200 Received: from [18.104.22.168] (helo=22.214.171.124) by 126.96.36.199 with smtp with id 1K4hP2-00d55B-Vb for <email@example.com> from <firstname.lastname@example.org>; Fri, 06 Jun 2008 06:15:10 +0400 From: "Aubrey" <email@example.com> User-Agent: Mozilla 4.72 [en] (Win95; I) X-Accept-Language: en-us MIME-Version: 1.0 To: <firstname.lastname@example.org> Subject: looking for someone? Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 8bit X-MailCleaner-Information: Please contact email@example.com for more information X-MailCleaner: Found to be clean X-MailCleaner-SpamCheck: not spam, SpamAssassin (score=6.142, required 5, BAYES_99 6.00, SARE_TOWRITE 0.14) X-MailCleaner-SpamScore: oooooo X-RCPT-TO: <firstname.lastname@example.org> Status: U X-UIDL: 449949495 Hire, i am here sitting! in the internet caffe. Found your email and decided to write. I might be coming to your place in 14 days, so I !decided to email you. May be we can! meet? I am 25 y.o. girl. I have a picture if you want. No need to reply herae as this is not my email. Write me at email@example.com