Company warns of bugged spam messages

Hidden code in e-mail messages is increasingly being used to track the success of unsolicited commercial ("spam") e-mail campaigns, according to a warning by an antispam technology company on Tuesday.

MX Logic Inc. of Denver, said that up to 50 percent of all spam released in the last year is bugged with so-called "spam beacons" that send a coded message back to the spammer whenever a spam message is opened, helping spammers refine their distribution lists and weed out good e-mail addresses from bad ones.

The beacons, also known as "Web bugs," are created with HTML (Hypertext Markup Language) code embedded in the e-mail. For example, the beacon may be a URL (uniform resource locator) for an image file that is stored on a server controlled by the spammer. When the e-mail message is opened, the e-mail application requests the image and also sends along an encoded e-mail address of the recipient. The spammer's server responds by sending the image file to be displayed, but it also captures the e-mail address that was sent in a database of "good" addresses, said Richard Smith, an independent computer security consultant.

HTML is the coding language used to create pages on the World Wide Web. Most e-mail programs also accept and read e-mail messages written with HTML.

MX Logic analyzed millions of spam messages that it processes for its 1,500 customers each day to study the spam beacon problem, said Scott Chasin, chief technology officer of MX Logic.

MX Logic's products use heuristic analysis to spot and block messages containing spam beacons, he said.

The company said renewed awareness of the spam beacon problem is needed because most e-mail users don't realize that they are being tracked by spammers. Also, many e-mail providers are not interested in stopping a "feedback loop" that lets spammers improve their art.

MX Logic found that spammers are becoming more sophisticated in hiding the spam beacons from antispam filters, and that spammers are using the data reported by the beacons to groom their messages and evade detection, Chasin said.

The databases that collect the beacon data are often hosted on compromised "zombie" machines, making it difficult to track the spammer responsible for a particular campaign, he said.

Other experts downplayed the danger posed by the spam beacons.

Microsoft Corp.'s latest e-mail client, Outlook 2003, automatically blocks the beacons, as do the company's Hotmail Web-based e-mail service and America Online Inc.'s e-mail program, Smith said.

In time, improvements in e-mail client technology and actions by e-mail providers will choke off the spam beacon problem, he said. "I think you'll see the 'open' rates drop off altogether, or very dramatically, and spammers will start to wonder 'what are we measuring here,'" Smith said.

Others doubt that spammers are really interested in tracking the success of their e-mail campaigns.

"I've never seen much evidence that spammers care about deliverability," said John Levine of the Internet Research Task Force's Anti-Spam Research Group. "I believe that (spammers) have the Web bugs. I don't really know what they'd do with the collected data."