Spam delivered through your company website

August 8, 2019

Spammers are constantly looking for new ways to deliver spam messages to recipients, bypassing filters. Ideally, they want to make it seem like the message came from someone who has a good reputation with spam filters. For example, they seek to send spam from an address at your company, through your own website. This method, which we’ll explain below, is becoming quite popular.

These days, almost every company is interested in obtaining feedback from its customers to improve services, retain clientele, and so on. To get that feedback, companies usually place a feedback form, or even several such forms, on their website. Users can use these forms to ask questions, leave suggestions, sign up for company events or subscribe to newsletters, and to receive other updates. Attackers, meanwhile, are trying to exploit the mechanism to send spam to totally unrelated people or companies.

How attackers can use your website to send messages

The mechanism is, in fact, fairly simple. As a rule, before a user can use an online service, get on a mailing list, or ask a question on a company website, they must first sign up. And that means they must enter their name and e-mail address at the very least. After the user submits a request to register, the company sends a confirmation message by e-mail. Spammers simply figured out how to add their own information to these registration confirmation messages.

They specify the victim’s e-mail address as the registration address, and they enter their advertising message in the name field — for example, “we sell sheet iron at a discount. Go to http://sheetiron.su.” The registration mechanism sends a confirmation message to the victim. The message opens politely: “Hello, we sell sheet iron at a discount. Go to http://sheetiron.su! Please confirm your registration request….” If someone tries to play this trick using the registration form on the website of a construction company, then the result may come across as fairly convincing.

The evolution of how attackers use feedback forms

It is remarkable that this new tool that spammers exploit actually arose from efforts to fight spam. Once upon a time, at the dawn of the Internet, the website feedback tool of choice looked like a guest book in which anyone could leave a message. Pranksters and spammers started to take advantage of this, which turned guest books into chaotic messes. Then website security experts decided to make it mandatory for guests to register first. The attackers responded with programs that automatically registered users under fictional e-mail addresses, which allowed them to continue to spam the company that owned the website.

It was then that website developers began to require users to confirm their e-mail addresses. It is this mechanism that spammers are now able to exploit to send messages. When that happens, nothing is sent to the company’s e-mail account. The user data that is collected during the registration process is simply recorded to a database, and the victims receive something like this:

The advantages of delivering spam through reputable companies’ websites

Virtually every company that is interested in stimulating an influx of new customers through the Internet and retaining the loyalty of their existing users pays a lot of attention to their website. The site’s design, content, and usability mean a lot. Usually, companies carefully monitor the reputation of their websites. However, having an impeccable reputation is what attracts attackers.

Messages that are sent from a reliable resource usually pass antispam filters with ease; they essentially have the status of official messages from a reputable company. And all of the technical headers in the message are completely legitimate. At the same time, the amount of actual spam content in the message (which is what the filters could react to) is relatively small. The spam rating is based on a variety of factors, so the overall authenticity of the message prevails, and the message passes through the filter.

This method of delivering spam has recently become increasingly popular among scammers. They have even started to offer it as a service: delivery of your advertising through feedback forms.

Spam sent through your site threatens your business

Your business reputation and the well-being of your customers are at risk. First of all, if registration notices containing some kind of intrusive advertising are sent in your name, then the recipients of these messages (who know they didn’t fill out a registration form on your website) might think that your company is the one sending spam.

Second, spammers sometimes insert a phishing link in the name field, additionally compromising your company by leading the recipient to fraudulent content — or even malicious code, which may have even worse consequences for the victim.

Sometimes fraudsters can purposefully exploit the name of the company, therefore damaging its reputation. For example, this method can be used to send the company’s users messages about fake promotions and prizes your company is supposedly offering. With those spoofed messages coming from a legitimate source, many people will believe them.

How can you prevent your site from becoming a tool for spamming?

For a start, get to know how feedback forms work on your website by running a small test. Just go to the relevant form on your website and register there with your personal e-mail address — but enter the following message in the name field: “I am selling my garage….” Include a website address and a phone number. Then check to see what exactly is sent to your e-mail inbox to learn whether there are any verification mechanisms for that type of information.

If you receive a message that starts “Hello, I am selling my garage…” then you should contact the people who are responsible for maintaining your websites and remind them that the names of real, living people cannot contain numbers, semicolons, “http://”, and other similar symbols or strings. Therefore, they need to create simple input checks that will generate an error if a user tries to register under a name with such invalid characters or parts. Developers can easily introduce those checks on your site or in the mailing mechanism.

And just in case the developers missed something else, consider having your website audited for vulnerabilities.