Advanced Threats Researcher Paul Ferguson recently reported of spammers using a feature called ‘delivery receipt request’ to verify if a certain email address exists. Delivery receipts are messages sent to the original sender of an email message to verify that the sent message has been delivered to the intended recipient.
While message delivery receipt acknowledgment is indeed available in popular desktop mail clients (such as Microsoft Outlook), and can be selectively ignored, most Web email platforms automatically send a delivery receipt when requested to do so if the targeted account exists.
A Microsoft page stating instructions on how to enable and use this feature in various releases of Outlook can be seen here.
In enabling this function, spammers can now send spam to a large number of addresses and subsequently filter out the legitimate ones easily — that is, if the recipient chooses to selectively acknowledge each delivery request, or simply chooses to acknowledge all messages which have this request embedded. This unwillingly places a recipient on the spammer’s list of future victims just by acknowledging receipt of the initially sent spam.
The delivery receipt function is ideally a useful feature especially for people who want to be absolutely sure that their message has been received. Unfortunately, this function, like so many other supposedly reputable functions, has been used for malicious intent instead.
Speaking of other reputable functions, just a few days back, Ferguson also found spam that comes in the form of another email delivery notification, this time as delivery failure notices.
Delivery failure notices are quite the opposite of delivery receipts – these are messages sent to a sender of an email message to notify them that their message was not sent to the intended recipient due to some particular reason.
Below is a screenshot of an email sample:
The message comes with an encrypted file, which supposedly is the undelivered message. When extracted, the said undelivered message looks similar to the following:
Since password protection for email attachments prevents Antivirus programs to scan attachments for possible malicious content, a detection for the .ZIP file itself was created. The password protected .ZIP attachment is detected as TROJ_DLOADZIP.A, while the extracted file itself is detected as TROJ_DLOADR.IB.
Trend Micro users are protected from this through the Smart Protection Network. But still, as the forms of email not being used as a cover for spam is decreasing in number, users are strongly advised to be careful in handling unexpected email messages, no matter how legitimate they look.