Recently I discussed how TorrentLocker spam was using email authentication for its spam runs. At the time, I suggested that these spam runs were using email authentication to gather information about victim networks and potentially improve the ability to evade spam filters. DomainKeys Identified Mail’s (DKIM) own specification mentions the possibility of messages with from “trusted sources” and with a valid signature being whitelisted.
Since then, we’ve received several replies that differ with our findings. One of these was Martijn Grooten at Virus Bulletin, who argued that the use of these techniques was “unlikely to bring any advantage”, and speculated that domain-based message authentication, reporting and conformance (DMARC) may have been used because of pre-configured rented infrastructure.
While it is possible that this could be the case, we would like to explore the possibility that the usage of email authentication was deliberate.
Grooten notes that it would be unusual for spammers to use Sender Policy Framework (SPF), and DKIM, as it would only allow spam filters “to be more confident that they are blocking the correct emails.” However, he cited one exception: low-volume spam runs that are trying to look legitimate. TorrentLocker spam runs meet this description. TorrentLocker spam is sent in smaller numbers compared to other threats, and it has a strong interest in trying to look legitimate; it meets the criteria for spam that would use SPF and DKIM. Anecdotal evidence suggests that the delivery rates of TorrentLocker spam are high – it appears to be successfully evading spam filters.
From the point of view of a spammer, using SPF and DKIM makes perfect sense if it would increase the chances of email delivery. An automated filter based on statistics or Bayesian rules may “learn” that spam with SPF and DKIM is less likely to be spam, and thus increase the chance of delivery. [Footnote: we note that we consider a Bayesian or statistical filter that increases the chance of email delivery based on passing a SPF or DKIM check is a misapplication of email authentication technologies].
The next issue raised is that DMARC is of little benefit, as spam campaigns will have relatively little time to fix mistakes (as the campaign will soon be over).
However, TorrentLocker campaigns are ongoing and long-lasting. While specific spam runs may be more limited in duration, overall there is plenty of time for an attacker to learn from any DMARC feedback. A recent joint report by Deakin University and Trend Micro had looked into the ongoing nature of TorrentLocker spam runs for November and December 2014. We found that these spam runs were repetitive in nature, providing plenty of opportunities for the attackers to learn how to improve their attacks.
In addition, the best-case scenario (from an attacker’s perspective) is that SPF/DKIM feedback can be used to determine the number of recipients of a spam message for certain ISPs. For attacks explicitly designed with heavy social engineering in mind, this information is invaluable. It provided direct feedback into the effectiveness of spam campaigns, which an attacker can then use to improve as necessary. DMARC failure reports can also be useful – for example, uncovering undisclosed list recipients. DMARC can be used to both uncover relationships and security weaknesses. (One example of feedback being sent to attackers: if an email is forwarded by a recipient to a third party, the email address of that party is sent back to the attacker.)
One issue that is raised is that perhaps the attackers merely used infrastructure that was already set up for SPF/DKIM. However, we noticed that the DMARC policy for multiple IP addresses across different ISPs was changed at approximately the same time. This strikes us as highly unusual, and does not match the expected behavior for rented infrastructure.
Finally, the following portion of the DMARC specification is pointed out:
Mail Receivers are only obligated to report reject or quarantine policy actions in aggregate feedback reports that are due to DMARC policy. ... If local policy information is exposed, abusers can gain insight into the effectiveness and delivery rates of spam campaigns.
We suspect that some local policy information is being exposed, and this is why DMARC has been enabled for these outbreaks. It’s worth noting that DMARC does have a mechanism that includes detailed feedback reports; this was intended for debugging purposes. ISPs and other organizations that implement email authentication should check that information disclosure is only to the extent needed to implement email authentication.
In conclusion, we believe that there are potential advantages that an attacker stands to gain from using email authentication. In addition, the pattern of behavior suggests that these actions were deliberate on the part of spammers.