2

I have been receiving spams from one source for a few months. I believe it has a lot of channels - I see the from address like CREDIT CARDS<abc@somespam.com>, HOLIDAYS<abc@somespam.com>, etc. I decided to unsubscribe and on clicking the unsubscribe button in the mail, a new Compose Mail window was opened and it had the following details populated.

  1. Recipient e-mail id
  2. Subject
  3. Text

The recipient email id was a different one. It was xyz@someotherspam.com rather than abc@somespam.com (from which I received the email). And the subject had some auto-generated token comprising of chars, numbers and symbols.

And on looking at this question all I could see is, the spammer can mark our account as active. However, I would like to know a few questions regarding information security here.

  1. Is it possible to retrieve any information from my inbox / sent items using some scripts if I send the unsubscribe mail? If yes, how do we find if any information has been stolen?
  2. Since my connection with the server is open, is it possible to contact the mail server by impersonating as me?
  3. If all it does is mark my email as active, what are the consequences of that?
Mike Ounsworth
  • 58,107
  • 21
  • 154
  • 209
shar
  • 121
  • 3

2 Answers2

1

Is it possible to retrieve any information from my inbox / sent items using some scripts if I send the unsubscribe mail? If yes, how do we find if any information has been stolen?

People on this forum are generally going to acknowledge that "everything is possible." Instead, we concentrate on what's likely, probable, and worth defending against.

Applications like Outlook and Thunderbird read the link as a URL, and those URLs are linked to applications. mailto: will be opened by the default mail client, http / https will be opened by the browser. These URLs are then parsed, and action is taken on them.

It's the parsing that gets us in trouble. When input is parsed by the application (or the OS), it could be parsed in a manner that exploits some flaw and precipitates a bad result. One example: earlier this year, a flaw was discovered where a link click can crash your system.

So, links can be dangerous. Fortunately, there is a relatively safe way to deal with them: mouse over. When you mouse-over a link, it should display the destination. If it's an http or https or mailto link, then you should be relatively safe (until you're not). If you see a UNC link "\something" in an email, then that's definately not something you'd want to click on. Even an http(s) or mailto link might be suspect depending on the destination.

So the ultimate conclusion is: if you are running an unpatched, not up-to-date operating system and software, then the odds you'll be hit with something nasty from a link (or other sources) is much higher. (Using AV for protection is out of scope for this question, and generally triggers a Holy War. If you have additional questions on that, I'd post it on SuperUser.com).

Since my connection with the server is open, is it possible to contact the mail server by impersonating as me?

Assuming that you have a vulnerability as discussed above, anything is possible. So, yes.

If all it does is mark my email as active, what are the consequences of that?

I've dealt with spam extensively. Both in MS Exchange filtering, to Postfix, SpamAssassin and writing milters to filter spam. There are three things that a spammer cares about that will make your address a "value add:"

  1. That the email can be delivered. Deliverability is what these low-life's are selling when they sell your email.
  2. Open rates - that you opened the email marks it active. They do this with email tracking pixels.
  3. Some sort of activity (a click, a purchase, a phish, etc...).

So, your email gets marked as one or more of these - if you're dealing with a sophisticated spammer. However, most spammers are not even sophisticated enough to send RFC compliant email, their database handling skills are basically non-existent.

Chances are: you're already marked as one of the three classifications above. If your email has been breached, bad guys cross reference different breach lists. If the email appears on more than one, (and chances are, that's true too... thanks Yahoo, DropBox, Google, etc...) then you're on a separate, more valuable list.

So what to do?

You have to assume that if you receive an email, you're "active." If you open it to see what it is, you have already been marked as "active+open." So, there's no point in worrying what metadata some bad actor is is collecting on you. Your primary concern is (should be) protecting yourself.

Simple steps to do this:

  1. Just delete obvious spam emails. The unsub links won't work 90% of the time, and when they do work, you've raised your hand as active. (That seems to be worthless to them these days since data breach data is so much more reliable... but why not avoid it?). In the last year, at one of my sites, I monitored and did frequency analysis on just over 500,000,000 inbound emails over a period of six months. The only factor that increased the frequency of email to a given address was its age. The owner of the company had a 20+ year old email address, and he got the most. The next most senior employee had the next greatest spam level. And so on...

  2. If the mouse-over reveals an https link, manually navigate to the site (in a sandbox) using copy paste, and go to the root of the site to see if it's legit. If so, then unsubs are probably honored.

  3. If it's from a big company, unsubs must behonored (at least in the US). It's probably fine to unsubscribe.

Important

Read the URL carefully and always check the SSL certificate issuer for https links in the emails. Ransomware emails are crafted amazingly well in comparison to the rest of them. I have seen a few come through that were beautiful reproductions of UPS, FedEx, USPS, the IRS, and a few other major orgnization emails. I've seen some that came through that had working websites behind them claiming to be a city municipality complete with contact address, correct phone numbers, Google Maps addins, and what must have been a $3,000 website complete with SSL (signed by a Chinese CA. Pretty sure US municipailties won't be using a Chinese CA). These are sent as RFC compliant, DKIM signed, SPF compliant emails from non-day-old-bread domains in low volumes to keep from getting blacklisted. Spamassassin routinely classifies them as < 2. They either use a compliment domain ("irscompliance.us" instead of the legit irs.gov) or a duplicate letter (like Gooogle vs Google). These are pretty rare, but they are exquisitely crafted. It's almost as if all the spammers who were good at their job have switched to the ransomware industry.

DrDamnit
  • 854
  • 4
  • 12
1

If the link was a mailto: one (which was probably the case) then the pre-population was done on the basis of what was in that link. You can set that way the address to reply to, the subject, etc.

The random characters you see are to track who replied. They are generated by them on their systems and added to the email you received. This is to say that they do not contain any information from your system.

All in all I would not care. Responding to an email via 'Unsubscribe' sometimes work, sometimes do not. It depends on the seriousness of the sender.

This can also mark you as "someone who is alive" but then, with the mountains of spam we receive, I would not care about that either.

WoJ
  • 8,968
  • 3
  • 33
  • 51