But I Still Get Spam! How Did They Get My Address?

Sometimes, you take all the spam precautions in the world, but somehow you STILL end up getting spam. Here’s how this can happen:

Say, you regularly exchange emails with your college friend John. John uses Outlook, Thunderbird, Apple Mail or a similar desktop software and has dozens of emails from you in his inbox. He even added you to his address book. He also has lots of emails from and to former classmate Jane. You haven’t stayed in touch with Jane that closely over the years but you definitely know who she is.

Last year, just before the holiday season, John downloaded and installed this really pretty Christmas screensaver that showed tranquil tree and candle scenes when he wasn’t using the computer. What he didn’t know was that the screen saver had a sinister hidden payload. While the candles flickered peacefully on his screen, the software went to work combing through his emails and address book, his browser’s cache of past webmail sessions and other files, storing every email address it would find in a separate list.

Then it sent the entire list to a server in Russia, where some shady character combined it with other such submissions to build the ultimate monster spam list that can be sold and resold over and over again.

But as if that wasn’t enough, when the “screensaver” sent the address list to Russia, it received some content in return – messages to be blasted to all of John’s contacts. Then, unbeknownst to John, his computer started creating hundreds of emails randomly using the harvested email addresses in the To: and From: field along with the content from the Russian server and sent them out using John’s Internet connection. One of them used Jane’s email address as sender and yours as recipient.

Now you received some spam from Jane asking you to buy fake watches and you’re ready to fire an angry response to her telling her to stop. Well, don’t. Jane has obviously nothing to do with the whole thing and you’ll never find out that it was actually John’s computer.

Trojan Horses, Bots and Zombies

You just had a look into the really nasty underbelly of the Internet where botmasters (the guy in Russia) control bot nets (infected computers that all report to the same server) of remote-controlled zombies (John’s computer) that were compromised using trojan horses (the screensaver) or similar malware.

And it doesn’t even end there. The botmaster typically doesn’t spam for his own account but whores out his bot net to whoever pays the most. The equally shady factory in China wanting to sell more fake Rolexes can now hire the botmaster to blast their offers all over the internet. The guy in Russia doesn’t even care if you open or click on that email from “Jane”, he gets paid either way. And when he’s done with the watches, he’ll inform his entire mailing list that they all won the lottery and can pick up the prize if only they pay a small “transfer fee” up front. And after that, he’ll mail a Paypal phish for yet another “client”. And for good measure, he’ll sell his entire email address database, incl. yours, to a friend who is in the same line of “business”.

In other words, once your email address got picked up by a bot net, pandora’s box is wide open. The whole scheme is particularly wicked because now you have to depend on others to keep your address safe. Unfortunately, there is little you can do:

A trojan horse on the Mac posing as Quicktime codec

A trojan that targets Macs pretends to be a QuickTime codec, but instead installs malware. Credit Wired.com

  • First of all, do your own share: NEVER open email attachments that you didn’t ask for, even if they appear to come from good friends like John. If you’re still curious, ask John first if he really sent it. NEVER download anything where you can’t in­de­pend­ent­ly verify it’s safe. With “independently verify” I mean you can read about it in forums, blogs, news sites etc. Facebook fan pages, even with 1000s of “fans”, do NOT count, they are way too easy to manipulate. NEVER get fooled by fake “security scans” (they’re quite the opposite!) or “video codec updates” to see that funny kitten clip. If you think you need a new Flash player, type in flash.com by hand and update from there. If afterwards the site still says you need an “update” get outta there as fast as you can.
  • Then educate your friends and family about the same. Explain how trojans work. Send them a link to this page!
  • You can try having multiple private email addresses. I have one super-private one, only for family and very few of my closest friends. I know they are familiar with the dangers lurking on the net, not least because I indoctrinated many of them myself. (Hi, dad!) Then I use my alumni address for everyone I met at school, even after I graduated. And a semi-private one for my wider social circle. The latter two do get some spam, although it’s still manageable. The first one has indeed been spam-free for years – knock on wood!

Other than that: Keep a good spam filter!

Leave a Reply

Your email address will not be published. Required fields are marked *