SpecificMAIL Technical Brief

From: Nick D. (ndebaggis_at_verizon.net)
Date: 08/14/04

  • Next message: SGI Security Coordinator: "SGI Advanced Linux Environment 3 Security Update #9"
    Date: Sat, 14 Aug 2004 12:12:51 -0400
    To: bugtraq@securityfocus.com
    
    

    SpecificMAIL Outlook Spam Filter Technical Brief

    July 22, 2004; August 10, 2004

    SpecificMAIL (www.specificmail.com) is a free Outlook / Outlook
    Express spam filter that utilizes a proprietary online spam database
    to help keep your inbox clean of spam. SpecificMAIL is much more
    than a spam filter; initial tests show that SpecificMAIL should be
    classified as spyware/adware. SpecificMAIL’s EULA and privacy policy
    are accurate. SpecificMAIL collects web surfing habits, sites
    visited, time of visit, duration of visit, full URL, etc. When first
    installed, SpecificMAIL also collects a large amount of personal
    information such as name, email address, age, income, etc. One of
    the major issues with SpecificMAIL is that it also collects the
    headers and body text of received email.

    In the following email, a message was sent to the user of
    SpecificMAIL (customer@) from the mock address onlinebank@. The
    message is a typical example of an auto-response from an online bill
    payment system. Upon training SpecificMAIL to whitelist the sender,
    all email from that sender is rightfully placed in the usual Inbox
    folder. On the surface this appears to be a useful application. What
    happens behind the scenes is a different story.

    ------------------------------------------------
    From: onlinebank@
    Subject: Bank Details: #27779000
    Date: Thu, July 22, 2004 10:33 pm
    To: customer@

    Your account has been credited $679.08 from NEC.
    ------------------------------------------------

    At the time the email from onlinebank@ is received, the SpecificMAIL
    spam blocker grabs the message body and uploads it to the
    rawcheck.php script at www.specificmail.com This activity happens
    before and after onlinebank@ is white listed via SpecificMAIL’s
    challenge/response system.

    The following raw packet dump illustrates:

    No. Time Source Destination Protocol

    544 22:33:31.992557 172.16.0.73 64.79.161.91(www.specificmail.com)

    HTTP GET
    /admin/rawcheck.php?mailmessage=Your%20account%20has%20been%20credit
    ed %20$679.08%20from%20NEC.%20 HTTP/1.0

    Frame 544 (351 bytes on wire, 351 bytes captured)
    Internet Protocol, Src Addr: 172.16.0.73, Dst Addr: 64.79.161.91
    Transmission Control Protocol, Src Port: 1435, Dst Port: 80, Seq:
    1110979812, Ack: 2770647021, Len: 297

    Hypertext Transfer Protocol
    01 51 29 4d 40 00 80 06 42 56 ac 10 00 49 40 4f .Q)M@...BV...I@O
    a1 5b 05 9b 00 50 42 38 34 e4 a5 24 b7 ed 50 18 .[...PB84..$..P.
    fd 5c ff 13 00 00 47 45 54 20 2f 61 64 6d 69 6e .\....GET /admin
    2f 72 61 77 63 68 65 63 6b 2e 70 68 70 3f 6d 61 /rawcheck.php?ma
    69 6c 6d 65 73 73 61 67 65 3d 59 6f 75 72 25 32 ilmessage=Your%2
    30 61 63 63 6f 75 6e 74 25 32 30 68 61 73 25 32 0account%20has%2
    30 62 65 65 6e 25 32 30 63 72 65 64 69 74 65 64 0been%20credited
    25 32 30 24 36 37 39 2e 30 38 25 32 30 66 72 6f %20$679.08%20fro
    6d 25 32 30 4e 45 43 2e 25 32 30 20 48 54 54 50 m%20NEC.%20 HTTP
    2f 31 2e 30 0d 0a 41 63 63 65 70 74 3a 20 69 6d /1.0..Accept: im
    61 67 65 2f 67 69 66 2c 20 69 6d 61 67 65 2f 78 age/gif, image/x
    2d 78 62 69 74 6d 61 70 2c 20 69 6d 61 67 65 2f -xbitmap, image/
    6a 70 65 67 2c 20 69 6d 61 67 65 2f 70 6a 70 65 jpeg, image/pjpe
    67 2c 20 2a 2f 2a 0d 0a 55 73 65 72 2d 41 67 65 g, */*..User-Age
    6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 33 2e 30 20 nt: Mozilla/3.0
    28 63 6f 6d 70 61 74 69 62 6c 65 29 0d 0a 48 6f (compatible)..Ho
    73 74 3a 20 77 77 77 2e 73 70 65 63 69 66 69 63 st: www.specific
    6d 61 69 6c 2e 63 6f 6d 0d 0a 41 75 74 68 6f 72 mail.com..Author
    69 7a 61 74 69 6f 6e 3a 20 42 61 73 69 63 20 63 ization: Basic c
    33 42 6c 59 32 6c 6d 61 57 4e 74 59 57 6c 73 4f 3BlY2lmaWNtYWlsO
    6a 45 79 4d 7a 51 32 4e 51 3d 3d 0d 0a 0d 0a jEyMzQ2NQ==....

    Initial testing indicates about 160 characters of message text can
    be uploaded to the PHP script.

    Other SpecificMAIL functionality:

    - Tracks web site usage including the full URL of each site the user
       visits.

    - Sends hourly updates indicating the user's online status.

    - Directs popup and popunder advertisements onto the user's desktop.

    - Has the ability to install additional software on the user's
       computer automatically.

    The SpecificMAIL EULA and privacy policy should be enough to stop
    someone from installing the software, but who really reads those
    documents before clicking “yes” anyhow? Here are a few excerpts from
    their EULA and privacy policy:

    "SOME INFORMATION COLLECTED BY THE SPECIFICMEDIA SOFTWARE IS
    PERSONALLY IDENTIFIABLE, SUCH AS YOUR EMAIL ADDRESS, BUT ALL
    INFORMATION WE COLLECT, EVEN NON-PERSONALLY IDENTIFIABLE
    INFORMATION, CAN BE LINKED TO YOUR PERSONALLY IDENTIFIABLE
    INFORMATION."

    "SpecificMAIL may communicate with the central SpecificMAIL
    database. This allows SpecificMAIL to improve its spam detection
    performance, and confirm the identity of those who send email to
    you. As part of this process, we may become aware of header
    information and the contents of emails you receive or scan."

    In summary, SpecificMAIL is passively collecting most of, if not all
    of, the user's web browsing habits and email communications. It
    should be noted this is only the tip of the SpecificMAIL iceberg.
    SpecificMAIL appears to be affiliated with SpecificPop,
    SpecificClick, and Advertisingbanners.com.

    N. DeBaggis


  • Next message: SGI Security Coordinator: "SGI Advanced Linux Environment 3 Security Update #9"