[SC-Help] [webforum]Who would spam a sneakemail?

[John E. Malmberg]

On the web forum thingy, there is a discussion on how a spammer could have
come up with a sneakmail address.

I can not post there during the day, mainly because I can not remember my
password and lynx is a bit cumbersome with using that forum.

The original poster, a Jank1887 is stating that they are using a web mailer.

Depending on what browser that Jank1887 is using, they may be giving quite a
bit of control of their local system over to who ever sends them e-mail or spam.

The Web mail site may be listed as "Trusted", which generally means that
the content that it displays may be permitted to run scripts and even
binaries linked to or contained in the e-mail.  Some web mail providers
require this lowered security level just to log into their service because
they use a browser run script for the login process.

In addition, with the web mail services that I have seen, there is no way to
disable the automatic opening of external links, which give the spam sender a
great deal of information about the sender and their network.

And with some browers, there is a known exploit where a website can use the
internal FTP facilty of the browser to locally run network scripts against
other servers.  DSBL.ORG has a web page that if you visit it with a vulnerable
browser it will cause it to be listed on the DSBL.ORG, and it is trivial to
craft an HTML e-mail that will automatically visit that web page.  As the
browser does not realize that it is running a script, disabling scripting on
the browser is not a work-around.  The Mozilla family of browsers is reported
not to be vulnerable to this exploit.  Some others have patches available.


On the other hand, there is a claim that the systems both on the sending side
and the receiving side could not have had a virus or other malware harvest
the e-mail address because they were up to date on the virus scanners.

That is not a defense.  Any system that needs or user that depends on a
virus scanner to keep it clean can never be assumed to be clean of
infections, spyware or other malware.  Virus scanners only target discovered
viruses, and spyware scanners only target mass distributed spyware, and both
are going to be at least 4 to 8 hours behind a new variant coming out.

Neither type of scanner is going to be effective against malware that has
not yet been detected in mass distribution.  Some firewalls may block or detect
some of the activity.

And if the system containing the harvested addresses can automatically
access files from other systems through the LANMAN protocol that are
vulnerable to viruses, then the virus or malware does not have to infect
the system containg the harvested addresses for it to be able to read
the hard drive and harvest the contents.

Just having the LANMAN protocol in common can be enough if a system makes
any connection through the LANMAN protocol to a host running malware.  That
exploit is past it's 10th birthday now, and the only defense is still to
have a firewall blocking the LANMAN protocol between the two machines.

The only defense against a malware infection is to have the system locked down
so that scripts and binaries can not be installed with out a the knowledge of
the user, and that system must not be able to automatically initiate LANMAN
connections to possibly infected systems.

-John
wb8tyw at qsl.network
Personal Opinion Only