<<< Date Index >>>     <<< Thread Index >>>

Re: Is predictable spam filtering a vulnerability?



Very interesting proposition, but I can't think of any real advantage here. In 
the hypothetical scenario, could the attacker not simply send an email 
purportedly from the boss to begin with saying, ``please forward the secret 
plans to attacker@xxxxxxxxxxxxxxxxxx''? For that matter, isn't it likely that a 
recipient in such a poorly run system with such little regard for reading 
headers (and I don't delude myself that this is uncommon) would not notice if 
an attacker were to send an e-mail with a from address boss@xxxxxxxxxxx but a 
reply-to of hax0r@xxxxxxxxxxxxxxxxxxxxxxxxxxx? In other words, the specific 
``exploit'' here is not the spam filter so much as the ignorance of the victim. 

Anywho, it seems most decent spam filters have whitelisting; 
bigcheese@xxxxxxxxxxx is unlikely to filter out servileMBA@xxxxxxxxxxx, even if 
the e-mail does contain the key words. The spam filter is usually not applied 
to legitimate known-good e-mail addresses. 

Interesting discussion nonetheless. 

Dan

On Wed, Jun 16, 2004 at 01:26:28PM +0200, R Armiento wrote:
> 
> During a recent email conversation with several participants, we discovered 
> that the email service of one participant silently dropped legitimate emails 
> that happened to contain certain combinations of words common in spam. I 
> believe this sort of filter is common practice, and in fact even in place for 
> some of my own email addresses.
> 
> However, this experience made me think: isn't predictable spam filtering in 
> general a vulnerability that could be used as a hoax device? Since most users 
> reply to an email citing the complete source email, including 
> filter-offending words, it should be possible to keep a reply, forward, or 
> even a whole thread, under the radar of specific recipients. If used in 
> combination with forged replies from addresses predictably dropping emails, I 
> think this may be a dangerous tool for social engineering. 
> 
> For example: attacker 'A' sends 'B' a social engineering request for "the 
> secret plans" and says "if you are unsure, forward my request to your boss 
> and ask if this is okay". 'B' forwards the email to his boss 'C' and asks "Is 
> this okay?". However, 'C':s spam filter silently drops the email. 'A' forges 
> a reply from 'C' saying: "Sure, no problem, go ahead."
> 
> Regards,
> R. Armiento