lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <411E3A03.2000400@verizon.net>
Date: Sat, 14 Aug 2004 12:12:51 -0400
From: "Nick D." <ndebaggis@...izon.net>
To: bugtraq@...urityfocus.com
Subject: SpecificMAIL Technical Brief


SpecificMAIL Outlook Spam Filter Technical Brief

July 22, 2004; August 10, 2004

SpecificMAIL (www.specificmail.com) is a free Outlook / Outlook
Express spam filter that utilizes a proprietary online spam database
to help keep your inbox clean of spam. SpecificMAIL is much more
than a spam filter; initial tests show that SpecificMAIL should be
classified as spyware/adware. SpecificMAIL’s EULA and privacy policy
are accurate.  SpecificMAIL collects web surfing habits, sites
visited, time of visit, duration of visit, full URL, etc. When first
installed, SpecificMAIL also collects a large amount of personal
information such as name, email address, age, income, etc. One of
the major issues with SpecificMAIL is that it also collects the
headers and body text of received email.

In the following email, a message was sent to the user of
SpecificMAIL (customer@) from the mock address onlinebank@. The
message is a typical example of an auto-response from an online bill
payment system. Upon training SpecificMAIL to whitelist the sender,
all email from that sender is rightfully placed in the usual Inbox
folder. On the surface this appears to be a useful application. What
happens behind the scenes is a different story.

------------------------------------------------
From: onlinebank@
Subject: Bank Details: #27779000
Date: Thu, July 22, 2004 10:33 pm
To: customer@

Your account has been credited $679.08 from NEC.
------------------------------------------------

At the time the email from onlinebank@ is received, the SpecificMAIL
spam blocker grabs the message body and uploads it to the
rawcheck.php script at www.specificmail.com  This activity happens
before and after onlinebank@ is white listed via SpecificMAIL’s
challenge/response system.

The following raw packet dump illustrates:

No. Time Source Destination Protocol

544 22:33:31.992557 172.16.0.73 64.79.161.91(www.specificmail.com)

HTTP GET
/admin/rawcheck.php?mailmessage=Your%20account%20has%20been%20credit
ed %20$679.08%20from%20NEC.%20 HTTP/1.0

Frame 544 (351 bytes on wire, 351 bytes captured)
Internet Protocol, Src Addr: 172.16.0.73, Dst Addr: 64.79.161.91
Transmission Control Protocol, Src Port: 1435, Dst Port: 80, Seq:
1110979812, Ack: 2770647021, Len: 297

Hypertext Transfer Protocol
01 51 29 4d 40 00 80 06 42 56 ac 10 00 49 40 4f .Q)M@...BV...I@O
a1 5b 05 9b 00 50 42 38 34 e4 a5 24 b7 ed 50 18 .[...PB84..$..P.
fd 5c ff 13 00 00 47 45 54 20 2f 61 64 6d 69 6e .\....GET /admin
2f 72 61 77 63 68 65 63 6b 2e 70 68 70 3f 6d 61 /rawcheck.php?ma
69 6c 6d 65 73 73 61 67 65 3d 59 6f 75 72 25 32 ilmessage=Your%2
30 61 63 63 6f 75 6e 74 25 32 30 68 61 73 25 32 0account%20has%2
30 62 65 65 6e 25 32 30 63 72 65 64 69 74 65 64 0been%20credited
25 32 30 24 36 37 39 2e 30 38 25 32 30 66 72 6f %20$679.08%20fro
6d 25 32 30 4e 45 43 2e 25 32 30 20 48 54 54 50 m%20NEC.%20 HTTP
2f 31 2e 30 0d 0a 41 63 63 65 70 74 3a 20 69 6d /1.0..Accept: im
61 67 65 2f 67 69 66 2c 20 69 6d 61 67 65 2f 78 age/gif, image/x
2d 78 62 69 74 6d 61 70 2c 20 69 6d 61 67 65 2f -xbitmap, image/
6a 70 65 67 2c 20 69 6d 61 67 65 2f 70 6a 70 65 jpeg, image/pjpe
67 2c 20 2a 2f 2a 0d 0a 55 73 65 72 2d 41 67 65 g, */*..User-Age
6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 33 2e 30 20 nt: Mozilla/3.0
28 63 6f 6d 70 61 74 69 62 6c 65 29 0d 0a 48 6f (compatible)..Ho
73 74 3a 20 77 77 77 2e 73 70 65 63 69 66 69 63 st: www.specific
6d 61 69 6c 2e 63 6f 6d 0d 0a 41 75 74 68 6f 72 mail.com..Author
69 7a 61 74 69 6f 6e 3a 20 42 61 73 69 63 20 63 ization: Basic c
33 42 6c 59 32 6c 6d 61 57 4e 74 59 57 6c 73 4f 3BlY2lmaWNtYWlsO
6a 45 79 4d 7a 51 32 4e 51 3d 3d 0d 0a 0d 0a    jEyMzQ2NQ==....

Initial testing indicates about 160 characters of message text can
be uploaded to the PHP script.

Other SpecificMAIL functionality:

- Tracks web site usage including the full URL of each site the user
   visits.

- Sends hourly updates indicating the user's online status.

- Directs popup and popunder advertisements onto the user's desktop.

- Has the ability to install additional software on the user's
   computer automatically.

The SpecificMAIL EULA and privacy policy should be enough to stop
someone from installing the software, but who really reads those
documents before clicking “yes” anyhow? Here are a few excerpts from
their EULA and privacy policy:

"SOME INFORMATION COLLECTED BY THE SPECIFICMEDIA SOFTWARE IS
PERSONALLY IDENTIFIABLE, SUCH AS YOUR EMAIL ADDRESS, BUT ALL
INFORMATION WE COLLECT, EVEN NON-PERSONALLY IDENTIFIABLE
INFORMATION, CAN BE LINKED TO YOUR PERSONALLY IDENTIFIABLE
INFORMATION."

"SpecificMAIL may communicate with the central SpecificMAIL
database. This allows SpecificMAIL to improve its spam detection
performance, and confirm the identity of those who send email to
you. As part of this process, we may become aware of header
information and the contents of emails you receive or scan."


In summary, SpecificMAIL is passively collecting most of, if not all
of, the user's web browsing habits and email communications. It
should be noted this is only the tip of the SpecificMAIL iceberg.
SpecificMAIL appears to be affiliated with SpecificPop,
SpecificClick, and Advertisingbanners.com.

N. DeBaggis


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ