<div dir="ltr"><div>I noticed a new sysadmin queue ticket opened by Robert Fadel.</div>
<div><a href="http://rt.laptop.org/Ticket/Display.html?id=20714">http://rt.laptop.org/Ticket/Display.html?id=20714</a></div>
<div> </div>
<div>I didn't want to reply on the ticket directly, but it may be important that he be cautioned about handling these messages.</div>
<div> </div>
<div>What he is seeing seems to be an example of "backscatter spam".</div>
<div><a href="http://spamlinks.net/prevent-secure-backscatter.htm">http://spamlinks.net/prevent-secure-backscatter.htm</a></div>
<div> </div>
<div>Essentially, the spammer forges the mail headers and sends a spam message (sometimes even to an invalid address) so that a bounce message is generated by a system other than the spammer's. This ricochets the spam messasge off of one server and then sends it back (in the form of a bounce message) to the real target (the forged address). This is an attempt to defeat trust-based filtering mechanisms.</div>
<div> </div>
<div>Robert should be very careful with these messages. Increasingly these days the point of spam messages is as a malware infection attempt. An attempt is made to trick the user into taking an action (clicking on embedded link or opening attached file) that will lead to a malware infection by exploiting one af many common vulnerabilities. Backscatter spam is a somewhat more advanced form of "social engineering" because even users that are savvy enough not to take such actions when a message comes from an unknown address can be confused by the familar or trusted names of the servers generating the bounce messages.</div>
<div> </div>
<div>Robert in particular needs to exercise caution because as someone publically associated with the finance function, he is a prime target for a "spear-phishing" attack, There is even a special term for a spear-phishing attack targetting exeecutives, they are called "whaling attacks", these attacks tend to be even more sophisticated than the usual malware efforts and oftern deliver keylogging trojans in hopes of getting identity-theft-enabling information from a high-net-worth individual. Furthermore, the malware writers seem to be saving their best effrots for this sort of attack, sometimes using new malware programs for the first time ever in such attacks.</div>
<div> </div>
<div><a href="http://www.theregister.co.uk/2008/04/16/whaling_expedition_continues/">http://www.theregister.co.uk/2008/04/16/whaling_expedition_continues/</a></div>
<div> </div>
<div>I have personal experience with exactly this sort of whaling attack, the CFO of my NASDAQ-listed company was targetted (what appeared to be an IRS or tax-related message with an attachment) and tricked into infecting his laptop with malware that was so new that TrendMicro did not yet have a profile to scan for it. Fortunately, he quickly realized something was amiss and we isolated his laptop from the network, isolated the malware itself (which was not detected by his antivirus software!) and by the end of the day we had a brand-new profile from our antivirus vendor.</div>
<div> </div>
<div>The issue of spam is rapidly moving from inconvenience to major security threat and educating users is an important element of the defensive network, please feel free to pass this message along ot Robert Fadel. It may be that the MIT Media Lab (OLPC's "ISP") should reviw the anti-spam situation, it's been commented on with regards to the RT queue (in various other tickets), I made a switch several years ago to a signifiacantly improved anti-spam solution that I am very happy with, I'd be happy to share my experience with OLPC.</div>
<div> </div>
<div>Chris Leonard (cjl)</div>
<div>OLPC Support Volunteer and veteran of the Spam Wars.</div>
<div><a href="mailto:cjlhomeaddress@gmail.com">cjlhomeaddress@gmail.com</a></div>
<div> </div>
<div> </div>
<div>aka</div>
<div> </div>
<div>Chris Leonard, Ph.D.<br><a href="mailto:Chris.Leonard@memorypharma.com">Chris.Leonard@memorypharma.com</a><br>Director, Translational Research & Technology<br>Memory Pharmaceuticals Corp.<br>100 Philips Parkway<br>
Montvale, New Jersey 07645<br>Phone (201) 802-7263</div>
<div> </div>
<div> </div></div>