In June, I wrote about a technique used by spammers to harvest names and email addresses of “live” targets for their spam.
In a nutshell: you post an ad to Craigslist; the spammer sends you an automated email which makes you think that maybe the sender is interested in your ad; you send a response, “Are you interested?” thus revealing your name (if it’s configured in your email client) and real email address to the spammer; and within hours, you are deluged by spam at that address, which uses your name from your email header, thus making it more likely that you will read it and that it will make it through your spam filter.
As I noted in my earlier blog posting, the fix to this is simple: Craigslist should tweak the email headers so that the entire exchange from poster and respondent is sent through Craigslist’s proxy server, so that the poster’s name and email address is never revealed in the header of a message sent by him/her to the spammer. Given how prevalent this problem is on Craigslist, it’s a mystery why they don’t do this.
Alas, the problem has gotten worse, not better. At the bottom of every email message sent through Craigslist’s proxy server is a link that people can use to report the message as spam. People who are moderate to heavy users of Craigslist can recognize these phishing messages immediately and report them as spam, thus helping Craigslist to figure out who should be blocked from sending messages through them. Alas, the spammers have figured out how to break the flagging link at the bottom of their email messages.
What Craigslist does when a message is sent through its proxy is (a) start with the HTML body of the message; (b) prepend a header to the top of it; (c) append a footer to the bottom of it; and (d) send it on its way. Alas, the proxy does not do any sanity checking of the HTML body; if the body has broken HTML in it, then it can cause the HTML in the footer to be broken as well. This is exactly what they’ve just started to do (or, at least, this is the first time I’ve seen it).
I just received a phishing message whose HTML body consisted of this string:
See <a href="http://www.?
Clever, huh? Because of the unterminated string in the href parameter, most of the footer appended to the message by Craigslist, until the first quotation mark in it, is interpreted as part of the link. As a result, the user can’t click on the link to report the message as spam.
Craigslist needs to be doing sanity-checking on the HTML bodies of the emails they are wrapping with a header and footer.
I’ve reported this issue to them. Whether they will do anything about it remains to be seen. It seems doubtful, since they haven’t bothered to do anything about the other obvious solution (described above) for shutting down these spammers.