Video Screencast Help
Security Response

Whitewashed Spam – How Antispam Laws Are Helping Spammers

Created: 23 May 2013 23:11:55 GMT • Updated: 23 Jan 2014 18:07:02 GMT • Translations available: 日本語
Samir_Patil's picture
+3 3 Votes
Login to vote

Contributor: Binny Kuriakose

Anonymity disguised as freedom of expression and lack of clear cut laws makes cyberspace murky from a security point of view. Countries are waking up and realizing that there is a need for laws which enable authorities to catch and punish cyberspace miscreants; however, these miscreants are very crafty.

Spammers are known to use ingenious methods to peddle spam and lately they have even begun using antispam laws themselves in an effort to spearhead spam attacks. This blog is not about analyzing the effectiveness of antispam laws; it is about how spammers are quoting the laws in emails in order to make the spam look legitimate.

There are some “grey area” emails, which fall somewhere between spam and legitimate mail, and sometimes there can be something very inconspicuous in the mail that can tip the balance in the mind of a recipient. Quoting antispam law in the body of the email and claiming that the email adheres to the law is proving to be a popular technique when it comes to painting “grey area” spam white.
 

CAN-SPAM Act - Public Law No. 108-187 (USA - English)

The sample in Figure 1 claims to be adhering to the conditions set by the CAN-SPAM Act, which is the antispam law in the USA. The mail has a disclaimer section at the end which explains the law.
 

Fig1.png

Figure 1. Spam sample with antispam law quoted in the body
 

How is this spam?

What is transgressed here is that, the option given by the spammer to ‘opt-out’ is bogus. He merely slides you out of one mailing list and inserts you into another. In all such spam instances the spammer gives the quote and the ‘unsubscribe’ or ‘opt-out’ so convincingly that the victim falls for it.
 

Other laws which are most commonly seen ‘misused’ in spam

  1. MURK - Bill S.1618 Title III (U.S.A - English)

    By far the most misused legal reference by any scale is Bill S.1618 Title III of the United States, which goes by the alias MURK. Although it did concern spamming, the Bill DID NOT BECOME A LAW in USA since it did not pass both the houses.  So any mail which says it is compliant to Bill S.1618 Title III should be put under scrutiny as you are staring at a lie right there. Spam mails quoting this bill were seen from 1998 when this Bill was presented.

    Fig2.png

    Figure 2. Disclaimer in spam quoting Bill S.1618 Title III

    Something which is more disturbing is that the spammers actually take it as far as threatening the readers, using this quote.

    Fig3.png

    Figure 3. Bill S.1618 quoted in a threatening manner

    However, this drama has spilled beyond the shores of United States. This quote is also seen in other language spam, like Portuguese and Spanish.

    Fig4.png

    Figure 4. Disclaimer in a Spanish spam quoting Bill S.1618 Title III
     

  1. Habeas data - Law No. 25, 326 Art. 27 Inc. 3 (Argentina - Spanish and Portuguese)

    Habeas Data is a law which lays guidelines for commercial emails in Argentina. This law like most other laws in this league is to empower a user to demand that his details should be removed from a database.

    It is seen quoted in Spanish and Portuguese spam email campaigns where the opt-out option is manipulated to make it look legit. The fact remains that the opt-out options are bogus and they do not help the victims from getting more spam.

    Fig5.png

    Figure 5. Disclaimer in a spam mail quoting Habeas data law
     

  1. Law No. 28493 / 29246 / D. S. 031-2005-MTC (Peru - Spanish)

    This Law No. 28493 / 29246 / D. S. 031-2005-MTC is a law in Peru, which has Spanish as its language. The Spanish mails from even other countries are seen displaying this law and claiming legitimacy by this law. This sample is seen giving an unsubscribe option by sending a reply to a webmail.

    Fig6.png

    Figure 6. Disclaimer in a spam mail quoting Peruvian Law No. 28493 / 29246
     

  1. Déclaration CNIL n°1291376 and Déclaration CNIL n°1181416 (France - French)

    Two French legislations regulating commercial mailings are seen displayed in spam, which does not give a proper opt-out option to customer. The opt-out link usually redirected to another webpage showing a message that the user’s details are removed. But in reality the opt-out does not happen.

    Fig7.png

    Figure 7. Disclaimer in a spam mail quoting French CNIL No 1291376
     

Conclusion

From these it is strikingly obvious that spammers are trying to whitewash their spam, using the laws conveniently to create an aura of fake legitimacy. The recipients unfortunately are falling victims to this.

Many countries have recognized the right of individuals to unsubscribe from any communication and the right to demand the removal of their personal information from any database. But these instances expose that a strong law regarding opt-in to a list is equally important along with the law for opt-out, since the spammers can slide you into a new mailing list after you unsubscribe from one. End users should be aware of what rights the anti-spam laws grants to every individual.