Cipher
Labs

← Back to projects

PT-SPAM

Study about the portuguese SPAM

November 5, 2013

Unsolicited electronic messages, known as SPAM, are nowadays one of the main threats on the Internet. However and despite the impact typically associated with unwanted electronic messages improper and unauthorized use of resources, there are several other situations that escalate SPAM impact. This happens, mainly due to the fact that SPAM is a recurring mean for other types of attack such as Phishing and Malware dissemination.

There are mechanisms that filter these messages, decreasing the user awareness of the frequency and type of this kind of communication. This is a reality that the end user doesn't approach too often because there are control and protection mechanisms designed to detect this kind of messages. However these mechanisms are liable to fail and therefore Dognædis believes that end-user awareness and good judgment are the main tools "to fight this war". Experience shows that being critic and aware is tremendously helpful to protect the user from typical SPAM attacks since he is the last and probably more effective barrier. Baring this in mind Dognædis decided to conduct a SPAM attack experiment as a tool for raising awareness. This test consisted of sending 60.000 electronic messages similar to SPAM messages. The target audience was both he public and private sector and domestic users. As for the domestic users 2 profiles were set: regular and users with knowledge on data security.

The following report specifies the type of strategies used and its results. It should be underlined that the whole study (concept proof) was conducted under the art.22º do Decreto-lei n.º 7/2004 (Portuguese SPAM Law).

Tests Setup

In order to perform the test it was used an email server to send the messages, a web server to host the HTML pages and images, a domain for the whole setup and finally 3 types of messages with different levels of credibility were assembled. The goal for the three scenarios was to measure the different level of liability from the recipients in each context.

A curious characteristic of this setup it's definitely its cost. The entire setup cost around 50€, this value should be kept in mind during the appreciation of the final results. Furthermore, this cost only existed to place study in total compliance with the current law in force.

Metodology

The techniques for gathering the email addresses, the messages that were sent as well as the means to identify those communications are detailed below for statistic purposes.

Gathering the email addresses

To collect the email addresses there were created "crawlers" to search a wide range of Portuguese internet pages to be afterwards used as targets. The analyses of the gathered email addresses shows that:

  • 18% belong to the public sector (Portuguese government organizations)

  • 41% belong to private sector domains

  • 32% belong to public email service providers (for e.g gmail, hotmail or sapo) typically used for domestic purposes

  • 9% belong to individuals traced to have knowledge on data security

Sent Messages

3 different types of messages were created as it follows:

Message 1

Subject: Innovative poll system shows smashing defeat for the central parties

Taking advantage of the near Mayor Office elections, Dognaedi's researchers created an email claiming to have a new survey techniques that shows a massive defeat of the more conservative parties in the upcoming election.

This message was based on a HTML body where the only component was an external image located on the test server. If the image wasn't loaded a link to the website was displayed. Whether the user clicked on the image or link he was redirected to website.

Figure 2 represents the picture on the email.

Message 2

Subject: Snowden case traced back to Portugal

This email, recreated a breaking new from a fake Online news agency, claiming that Edward Snowded had documents that contained information about Portugal.

  • The body in plain text;

  • HTML with plain text pieces surrounding the image

Figure 3 shows the attached picture.

Message 3

Subject: Portuguese and Angolan Universities create an active ingredient as a direct competitor of the blue pill

Unlike the previous messages, this email didn't contain any external content. This message was based on plain text that described the news of 2 universities having created a new medicine competing with the famous "blue pill" (Viagra reference). It was also displayed a link were the reader could find more information.

On figure 4 its visible the sent email message.

Sending Methods

Each message contained an unique identifier that allowed to identify not only the message but also the recipients' group in order to determine if the liability is higher on certain population groups.

Risk behaviours tested

The main risk behaviours focused on this study are:

  • Loading external content referred by on email messages;

  • Following links from unsolicited and untrusted email messages;

  • Opt-out from a unknown mailing list.

NOTE:

All the messages included an opt-out footer (option to remove the address from the mailing list) in order to comply with the law in force.

The Results

The following charts were prepared based in the analysis of the results. Those results were divided by each of the scenarios created with different email messages.

Message 1

The chart in figure 5 represents the relevant data of this scenario.

In the first bar it is possible to observe that the sent rent is about 66% (although there is no known methodology to confirm if an email has been received by its recipient). This means that it was just possible to deliver email to two thirds of the sample targets. This result is due to two main factors: some of the emails were deleted hence it was not possible to deliver email to them and some of the target domains limit rated the number of messages from our sender domain.

From this initial number we know that around 6% of the targets loaded the image into their email client, 7% from the total sample went to the website (we guess that they tried to obtain more information). From the entire sample just 1% removed their address from the alleged distribution list. Despite this result it is important to stress that 5% of sample visited the email removal page, which means that just 12% of those visitors has effectively unsubscribed from the list.

Clicks distribution by sector (Message 1)

The access distribution by sector is shown in the image. Although it may seem as a fair distribution it is important to remember that the sample distribution was not equal, which means that there is no proportionality between the results. So it is possible to conclude that the 25% observed in the public sector is a bigger reason for concern than the same percentage in the domestic sector (with no security awareness), since this last profile had a bigger representation on the study sample.

Message 2

In the following image it is possible to examine all the relevant data from this scenario.

It is possible to observe that the "success" of remote image loading was high, but the same did not happened with site visits. This may be explained by the fact that the news agency that issued this email did not exist, which may affected the reliability of the message and discouraged people to follow the link.

Message 3

This was the message investigators were more confident that would be ignored by the targets, for two main reasons:

  • The theme was less important that the other two scenarios;

  • The subject (medicine against sexual dysfunction) is one of the most common in Spam campaigns.

The attained results are within those expectations, a low hit rate, as it is possible to confirm in figure 8.

Though it is important to stress out that the composition of this email, as explained in the methodology section, did not point to external content in the email. This means that the result of this "attack" vector would be always 0.

Global Analisys

The figure 9 shows the total count of the really sent emails and the number of access generated in each one of the scenarios., either it was a external image load or a website access (both for obtaining more information or removing the email).

The graphic clearly shows the different results obtained in each one of the scenarios created by the different email messages.


Conclusion

Relying on the results from this study, it is safe to say that the Portuguese population is still prone to SPAM attacks, since the global access rate in this study is in range of satisfactory results for email marketing campaigns (advertising electronic messages), whose success rates are within 5 to 10 %.

It is also important not to neglect the results obtained in the 3rd Message scenario, which shows that there is awareness to these problem, specially on more common techniques.

Taking into account the methodology (complying with the law) it is important to refer that the in vigour legislation does not address the problem in a suitable way, in fact it may help attackers to specifically target their attack. The main example is the op-out methodology enforced by the law. This mechanism may allow an hypothetical attacker to fine tune the attack just for valid, or even more important, in use email addresses. A list with these kind of validation is much more valuable in the black market than a simple email list.

One of the other conclusions it was possible to get from this simulation is the cost associated to this attack. The following, illegal, techniques would allow an attacker to increase his target base as well as keeping a low cost attack setup:

  • Using emails from hacked database dumps;

  • Buy email list on black market;

  • Using a Botnet to the attack dissemination;

  • Use of OpenRelays to send the message (Dognædis has recently identified in Portugal around 2800 with this kind of configuration);

  • Phishing mechanism to forward the message from the victim email address.

Suggestions

As a way of contributing to these problem Dognædis would like to stress out the following three ideas:

  • Revision of the law, creating an enforce for opt-in email list in order to not allow any unwanted communications;

  • Raising awareness is one of the main methodologies to prevent the threat Spam still poses;

  • Regulate and normalize the activity of mass emailing, specially enforcing solutions for source identification and validation.