Pressure on at Google as the brilliantly-acronymed Information Security Research Team (InSeRT) discovered a flaw in Google’s previously highly-regarded spam and phishing filter.
(Link)
The team’s report details how Gmail is susceptible to a man-in-the-middle attack that allows a spammer to send thousands of bulk e-mails through their SMTP service without being detected. The flaw bypasses Google anti-fraud mechanisms and 500-address limit on bulk email. The weakness is compounded by the fact that Yahoo and Hotmail trust Gmail as a source of email.
Details on the flaw are limited as InSeRT has withheld information as a courtesy to Google.
So far there has been no public acknowledgement from the internet giant who are probably beavering away in their labs coming up with a patch. It’s not the first occasion in recent times that they have been exploited. Last month it was revealed that spammers were sending Google Calendar invites that, depending on your personal preferences, could end up integrating a spam message in to your personal calendar.
“Honey? Do you remember me organising a meeting with the widow of a Nigerian warlord to discuss transferring $40m to our joint bank-account?”
CAN-SPAM, will spam
It’s the sort of story that the mainstream media latch on to, giving sub-editors an opportunity to wheel out tired Monty Python cross-references and pictures of spam tins from the 1970s.
The 2003 CAN-SPAM Act - Controlling the Assault of Non-Solicited Pornography And Marketing Act (another pretty cool acronym) – gave new powers to authorities in the US to arrest spammers. Last week MySpace won $234m in damages against Sanford Wallace and Walter Rines who were found guilty of sending more than 700,000 spam messages to the website’s users. (Link)
However the chance of MySpace’s parent company News Corp picking up a cheque is pretty slim. Chief security officer, Hemanshu Nigam, doesn’t think it’s an issue.
“Anybody who's been thinking about engaging in spam are going to say, 'Wow, I better not go there. Spammers don't want to be prosecuted. They are there to make money. It's our job to send a message to stop them."
The problem with the legislation is that unless you’re going to jail these people then the flood of spam is likely to continue unabated. They are criminals with brass necks and the start-up costs of spamming are so low that no fine is going to stop them doing it.
The CAN-SPAM Act might have prosecutions to its name but, irrespective of, the stream of spam flows unabated.
Do this or else!
In amongst the spam messages urging you to buy medical supplies, become more attractive to women and update your details at a bank where you never had an account, are more threatening communications. The FBI is now warning Americans about fraudulent emails from the “IRS” and the “American Court System”.
(Link)
These emails are, of course, attempts to steal their personal information and wreak all sorts of havoc. The twist in the tail is that those who actually take the time to read the mail will find a threatening undercurrent indicating that failure to respond will result in financial hardship and contempt of court charges respectively.
Paul Hinman of the Sheriff’s crime protection unit said:
“The IRS does not solicit citizens on this type of thing. They should not respond to any e-mail, telephone call or correspondence whatsoever on how to get their stimulus checks."
In a perfect world I bet the IRS and the court system would love to be able to communicate over email. No one can deny the speed and efficiency of email communication but it’s not enough. However, add in security, branding and accountability and you’ve got the perfect mix. Or “Brandmail Solutions” as it’s known around these parts.
