SpecificMAIL Outlook Spam Filter Technical Brief July 22, 2004; August 10, 2004 SpecificMAIL (www.specificmail.com) is a free Outlook / Outlook Express spam filter that utilizes a proprietary online spam database to help keep your inbox clean of spam. SpecificMAIL is much more than a spam filter; initial tests show that SpecificMAIL should be classified as spyware/adware. SpecificMAIL’s EULA and privacy policy are accurate. SpecificMAIL collects web surfing habits, sites visited, time of visit, duration of visit, full URL, etc. When first installed, SpecificMAIL also collects a large amount of personal information such as name, email address, age, income, etc. One of the major issues with SpecificMAIL is that it also collects the headers and body text of received email. In the following email, a message was sent to the user of SpecificMAIL (customer@) from the mock address onlinebank@. The message is a typical example of an auto-response from an online bill payment system. Upon training SpecificMAIL to whitelist the sender, all email from that sender is rightfully placed in the usual Inbox folder. On the surface this appears to be a useful application. What happens behind the scenes is a different story. ------------------------------------------------ From: onlinebank@ Subject: Bank Details: #27779000 Date: Thu, July 22, 2004 10:33 pm To: customer@ Your account has been credited $679.08 from NEC. ------------------------------------------------ At the time the email from onlinebank@ is received, the SpecificMAIL spam blocker grabs the message body and uploads it to the rawcheck.php script at www.specificmail.com This activity happens before and after onlinebank@ is white listed via SpecificMAIL’s challenge/response system. The following raw packet dump illustrates: No. Time Source Destination Protocol 544 22:33:31.992557 172.16.0.73 64.79.161.91(www.specificmail.com) HTTP GET /admin/rawcheck.php?mailmessage=Your%20account%20has%20been%20credit ed %20$679.08%20from%20NEC.%20 HTTP/1.0 Frame 544 (351 bytes on wire, 351 bytes captured) Internet Protocol, Src Addr: 172.16.0.73, Dst Addr: 64.79.161.91 Transmission Control Protocol, Src Port: 1435, Dst Port: 80, Seq: 1110979812, Ack: 2770647021, Len: 297 Hypertext Transfer Protocol 01 51 29 4d 40 00 80 06 42 56 ac 10 00 49 40 4f .Q)M@...BV...I@O a1 5b 05 9b 00 50 42 38 34 e4 a5 24 b7 ed 50 18 .[...PB84..$..P. fd 5c ff 13 00 00 47 45 54 20 2f 61 64 6d 69 6e .\....GET /admin 2f 72 61 77 63 68 65 63 6b 2e 70 68 70 3f 6d 61 /rawcheck.php?ma 69 6c 6d 65 73 73 61 67 65 3d 59 6f 75 72 25 32 ilmessage=Your%2 30 61 63 63 6f 75 6e 74 25 32 30 68 61 73 25 32 0account%20has%2 30 62 65 65 6e 25 32 30 63 72 65 64 69 74 65 64 0been%20credited 25 32 30 24 36 37 39 2e 30 38 25 32 30 66 72 6f %20$679.08%20fro 6d 25 32 30 4e 45 43 2e 25 32 30 20 48 54 54 50 m%20NEC.%20 HTTP 2f 31 2e 30 0d 0a 41 63 63 65 70 74 3a 20 69 6d /1.0..Accept: im 61 67 65 2f 67 69 66 2c 20 69 6d 61 67 65 2f 78 age/gif, image/x 2d 78 62 69 74 6d 61 70 2c 20 69 6d 61 67 65 2f -xbitmap, image/ 6a 70 65 67 2c 20 69 6d 61 67 65 2f 70 6a 70 65 jpeg, image/pjpe 67 2c 20 2a 2f 2a 0d 0a 55 73 65 72 2d 41 67 65 g, */*..User-Age 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 33 2e 30 20 nt: Mozilla/3.0 28 63 6f 6d 70 61 74 69 62 6c 65 29 0d 0a 48 6f (compatible)..Ho 73 74 3a 20 77 77 77 2e 73 70 65 63 69 66 69 63 st: www.specific 6d 61 69 6c 2e 63 6f 6d 0d 0a 41 75 74 68 6f 72 mail.com..Author 69 7a 61 74 69 6f 6e 3a 20 42 61 73 69 63 20 63 ization: Basic c 33 42 6c 59 32 6c 6d 61 57 4e 74 59 57 6c 73 4f 3BlY2lmaWNtYWlsO 6a 45 79 4d 7a 51 32 4e 51 3d 3d 0d 0a 0d 0a jEyMzQ2NQ==.... Initial testing indicates about 160 characters of message text can be uploaded to the PHP script. Other SpecificMAIL functionality: - Tracks web site usage including the full URL of each site the user visits. - Sends hourly updates indicating the user's online status. - Directs popup and popunder advertisements onto the user's desktop. - Has the ability to install additional software on the user's computer automatically. The SpecificMAIL EULA and privacy policy should be enough to stop someone from installing the software, but who really reads those documents before clicking “yes” anyhow? Here are a few excerpts from their EULA and privacy policy: "SOME INFORMATION COLLECTED BY THE SPECIFICMEDIA SOFTWARE IS PERSONALLY IDENTIFIABLE, SUCH AS YOUR EMAIL ADDRESS, BUT ALL INFORMATION WE COLLECT, EVEN NON-PERSONALLY IDENTIFIABLE INFORMATION, CAN BE LINKED TO YOUR PERSONALLY IDENTIFIABLE INFORMATION." "SpecificMAIL may communicate with the central SpecificMAIL database. This allows SpecificMAIL to improve its spam detection performance, and confirm the identity of those who send email to you. As part of this process, we may become aware of header information and the contents of emails you receive or scan." In summary, SpecificMAIL is passively collecting most of, if not all of, the user's web browsing habits and email communications. It should be noted this is only the tip of the SpecificMAIL iceberg. SpecificMAIL appears to be affiliated with SpecificPop, SpecificClick, and Advertisingbanners.com. N. DeBaggis