by Barracuda Labs
This week a new sort of spam started showing up in the Barracuda Labs Spam Honeypots – fake sender verification emails.
Sender Verification emails ask users to verify that they sent a particular email to someone, usually by responding with another email, or as in this case, by clicking on an embedded link.
Under normal circumstances, these emails come from an email server that has been enhanced with sender verification software as a spam-fighting measure. While this software is not as common as it once was, these systems still are used by some businesses and ISPs.
However, the example above merely pretends to be one of these verification emails and is not from an email server at all. Instead, it is cleverly constructed spam whose included link can take the recipient to suspicious Websites, or even offer up executable malware.
This spam appears plausible and easily can trick the unwary email user.
Close examination does reveal several tell-all signs that this email is suspicious. For starters, the name of the person supposedly emailed is missing. Second, the domain that the email purports to come from is the same domain as that of the user, which makes no sense since the user should not need to verify himself to his own mail server.
Indeed, one aspect of this campaign is that each spam is carefully tailored to reference the email domain of the recipient, most likely because that domain is one the recipient knows and trusts.
The message is sent only in HTML format, and the link has varied over time. In some cases, it redirects to Canadian Pharmacy Viagra sites. In others, the link presents the user with a Windows .EXE to run, which is a variant of the rapidly spreading TDSS rootkit.
While it is easy enough to hover over the link and see that it does not go back to the organization shown as having sent the email, many users will not question the name of the domain in the verification link.
Barracuda Spam & Virus Firewalls block these emails. We suggest users take note and warn other email users of this new social engineering tactic. These emails do not fight spam; they ARE spam.