The messages have the same appearance as a legitimate YouTube invite, except they include typical spam content and links to spam Web sites. “Spammers are doing this to defeat spam filters and to lower the recipient’s guard by making it look as though the messages are coming from a perfectly innocuous email address," Anstis said, adding: "YouTube’s own Help Centre suggests that you exclude the email@example.com email address from spam filtering. The spammers are keenly aware of this.”
At present these message account for less than one percent of the 15 million spam messages picked up daily by Marshal's network of 'honeypot' email addresses, but according to Anstis, they represent a significant development because of their ability to defeat simple security systems where white-listed messages are passed without further analysis.
"People need to stat realizing that just having an email address on a white list is no longer sufficient."
He said that Marshal had contacted YouTube about the issue, but had received no response so far. "We don’t have any formal relationship with them and this is where there is a need for some sort of community so we can let other people know about these sorts of problems."
He predicted that YouTube would have to start implementing some sort of filtering system on outgoing mail. "They are going to have to start doing some content control on the emails being sent from within their servers but they will need to be very careful that they don't create too many false positives...because if they start making it too difficult it will turn off their user base and that’s where their value lies."
Anstis said that this latest spamming innovation followed one in August where spammers were able to get around the mechanisms implemented by Hotmail and gmail to prevent automatic registrations and generate large numbers of false email addresses.
As part of their registration process these services (and many others) require a new user to key in a string of letters and numbers masked so as to be unreadable by OCR systems. However the spammers offered free access to porn sites after registration and presented registrants with a genuine character string from a Hotmail or gmail sign on screen, effectively getting members of the public to register spurious email addresses for them.