Spammers are now abusing the "out of office" feature of Web-based e-mail services to relay their junk messages into the inboxes of unsuspecting Internet users.
McAfee Avert Labs has recently seen several instances where spammers set up Web-based e-mail accounts and configure auto responders with spammy messages. The miscreants then sent e-mail with fake "from" addresses – the spam targets – to their newly created Web-mail accounts. The "from" addresses subsequently receive the spammy "out of office" notices.
This may sound like a convoluted way to send spam, but spammers do it to trick spam filters. An automatic reply from a well-known Web-based e-mail service will look legitimate to many spam filtering tools. Unlike spam sent by botnets, the auto reply spam will have a legitimate sender and will be signed with the correct signatures used to sign e-mail messages, such as DKIM, DomainKey or Sender ID.
One spammer seen using this technique is advertising an adult Web site. The auto-responder spam does not look like a typical out of office reply. The message subject does always contain "Re:" because that's added by the Web mail service, but the spammer controls the rest of the subject line and the message body text. In the examples McAfee Avert Labs has seen we could only determine that the mail is an auto responder by carefully looking at the e-mail headers.
"In recent weeks we have seen an increasing number of spam apparently sent by legitimate Web-based e-mail systems," says Jeremy Gilliat, an Aylesbury, UK-based anti-spam engineer at McAfee. "Interestingly we see spam from a number of accounts being abused in this way. I suspect the spammer has a program that automatically creates accounts and sets the responder text, all with no manual work required. This gives the spammer the capability to have lots of Web-mail accounts, all used to spam lots of people."