Firms urged to tighten web and e-mail security in response to 'spoofing' attacks

Spam is rarely out of the headlines these days, with most estimates suggesting that unsolicited messages now account for at least...

Spam is rarely out of the headlines these days, with most estimates suggesting that unsolicited messages now account for at least 50% of all e-mail traffic and cost global businesses as much as £10bn a year.

The European Union and the US Senate have been working on legislation to combat the problem and MPs in the UK are also concerned about the issue, with the latest "spam summit" due to take place later this week.

While much of the focus has been on spam from anonymous e-mail addresses that offer internet users anything from pornographic images to free academic qualifications, the spammers' latest tactic is to "spoof" addresses of well-known companies to fool consumers into opening spam e-mails.

On 26 August, online retail giant filed 11 lawsuits against online marketers in the US and Canada, alleging they had used the Amazon name when sending e-mail advertisements.

The suits sought millions of dollars in damages and were part of a broader action by Amazon to crack down on e-mail forgeries, the company said.

Amazon and the New York attorney general's office have already settled with one of the alleged e-mail forgers. has agreed to pay unspecified damages and a $10,000 (£6,300) fine, Amazon said. must also refrain from sending e-mail messages using third-party names unless it has authorisation to do so.

Several other large companies, including eBay, UPS and Citibank, have also had their e-mail addresses publicly spoofed and some of them have started legal proceedings.

It is a worrying trend, said Arabella Hallawell, an analyst at Gartner. "Instead of getting easier, the spam problem has grown more complex. Spoofing harms brands, aids consumer fraud and provides a conduit for viruses."

The companies affected by the spoof e-mails and ISPs such as Microsoft, Yahoo and AOL have been attempting to fight back against spam with legal action and investigations to combat the customer fraud and brand damage the spoof messages cause.

However, Hallawell warned that these investigations face numerous challenges, especially because spamming activity often happens in overseas jurisdictions where law enforcement is difficult to co-ordinate.

"Many ISPs in developing countries have not yet summoned the will to combat spam," she said. "And international co-ordination is difficult, even with crimes such as money laundering, where nearly all countries recognise the need for urgent law enforcement."

Perhaps more worrying is that the threats of spam, fraud and virus attacks are now converging, Hallawell said.

"The Sobig.F internet worm that emerged on 18 August used spammer techniques to propagate, including e-mail spoofing, and spammers have used previous Sobig variants to evade anti-spam filters," she said.

"This blending of worms and spam - usually seen as a nuisance or legal risk - also poses security risks. E-mail from spoofed addresses may not just be unwanted but may also have attachments containing malicious code."

Companies and governments have been grappling with spam for some time now and the emergence of spoofing and spam-related viruses have just made the problem more complex, Hallawell said.

"Unfortunately, this issue does not permit an easy solution. Lawsuits and law enforcement efforts will help, but they will not relieve the problem quickly," she said.

So if legal action cannot eradicate spam in all its different guises, what can businesses do to protect themselves?

Gartner recommended that companies with a strong customer presence or brand, especially those in the finance and retail sectors, should evaluate their protection measures, such as encryption for signing e-mails and web pages for customer communications containing personal data.

Companies should also lock down Simple Mail Transfer Protocol gateways and proxy servers, to ensure the messaging servers cannot be hijacked and are not vulnerable to mass e-mail attacks. In addition, Gartner said, personal firewalls should be given to remote broadband users.

ISPs, for their part, should step up co-ordination and blocking to prevent domain name e-mail spoofing, Gartner said.

Viruses such as Sobig and spoof e-mails such as those suffered by Amazon tend to succeed because e-mail has inherently weak authentication. Users also tend to have a permissive attitude towards incoming e-mails, Hallawell said.

However, there are glimmers of light. "Efforts by ISPs and carriers for more extensive blocking of addresses will help slow the flood of spam and stem e-mail as an easy vector for infection," she said. "Eventual standards for better authentication of e-mail will also help."

The rise of the spoof website     

In August, filed 11 lawsuits seeking millions of dollars in damages against online marketers in the US and Canada, alleging they were using the Amazon name when sending e-mail advertisements.  

The companies named in the suits were pushing products including home appliances, penis enlargement pills and car warranties, according to Amazon. 

 Amazon is working with internet service providers and other companies to find technical ways to make it more difficult to spoof e-mail addresses. 

In addition, Amazon has set up a special e-mail address, [email protected], where users can report spoofing using the Amazon name. 

Citibank recently warned customers to immediately delete a scam e-mail which asked them to provide their user names and the first four digits of their bank cards.

The e-mail, which appeared to come from Citibank with the subject line "Your Checking Account at Citibank", warned bank customers that their accounts could be blocked if they did not provide their user information. 

The bank published a list of precautionary steps on its website to help customers avoid the problem of unsolicited junk e-mail and urged customers who received suspicious e-mails to alert company officials. 

In July, the US government and ISP EarthLink warned of a surge in unsolicited e-mail and scam websites designed to steal the identity of internet users. 

The ISP said it had seen a spike since the beginning of the year in e-mail linked to scams using spam to lure victims to websites designed to look like legitimate retail or corporate sites. 

In the same month, the US Federal Trade Commission settled a civil action against a 17-year-old accused of tricking internet users into giving him their credit card numbers and other personal information on a fake website designed to look like AOL's billing centre. 

The settlement, pending approval by a federal court in central California, will bar the defendant from sending spam and force him to give up about $3,500 (£2,200) in profits from his venture, which ran from July to December 2002 before the FBI confiscated his computer.

Read more on E-commerce technology