Re: Is predictable spam filtering a vulnerability?
Very interesting proposition, but I can't think of any real advantage here. In
the hypothetical scenario, could the attacker not simply send an email
purportedly from the boss to begin with saying, ``please forward the secret
plans to attacker@xxxxxxxxxxxxxxxxxx''? For that matter, isn't it likely that a
recipient in such a poorly run system with such little regard for reading
headers (and I don't delude myself that this is uncommon) would not notice if
an attacker were to send an e-mail with a from address boss@xxxxxxxxxxx but a
reply-to of hax0r@xxxxxxxxxxxxxxxxxxxxxxxxxxx? In other words, the specific
``exploit'' here is not the spam filter so much as the ignorance of the victim.
Anywho, it seems most decent spam filters have whitelisting;
bigcheese@xxxxxxxxxxx is unlikely to filter out servileMBA@xxxxxxxxxxx, even if
the e-mail does contain the key words. The spam filter is usually not applied
to legitimate known-good e-mail addresses.
Interesting discussion nonetheless.
Dan
On Wed, Jun 16, 2004 at 01:26:28PM +0200, R Armiento wrote:
>
> During a recent email conversation with several participants, we discovered
> that the email service of one participant silently dropped legitimate emails
> that happened to contain certain combinations of words common in spam. I
> believe this sort of filter is common practice, and in fact even in place for
> some of my own email addresses.
>
> However, this experience made me think: isn't predictable spam filtering in
> general a vulnerability that could be used as a hoax device? Since most users
> reply to an email citing the complete source email, including
> filter-offending words, it should be possible to keep a reply, forward, or
> even a whole thread, under the radar of specific recipients. If used in
> combination with forged replies from addresses predictably dropping emails, I
> think this may be a dangerous tool for social engineering.
>
> For example: attacker 'A' sends 'B' a social engineering request for "the
> secret plans" and says "if you are unsure, forward my request to your boss
> and ask if this is okay". 'B' forwards the email to his boss 'C' and asks "Is
> this okay?". However, 'C':s spam filter silently drops the email. 'A' forges
> a reply from 'C' saying: "Sure, no problem, go ahead."
>
> Regards,
> R. Armiento