Microsoft Security Notices: A Double Standard on Spam? August 9, 2003 By: Larry Seltzer One of the mailing lists I read carefully is SecurityFocus's excellent Focus-MS list. In the aftermath of Microsoft's disclosure in July of the infamous RPC/DCOM vulnerability and its patch release (known in MS security jargon as MS03-026), an interesting discussion arose on Focus-MS about Microsoft's efforts to publicize the disclosure and patch. A reader said he had received a broadcast e-mail, apparently from Microsoft, reminding him of the MS03-026 problem and patch. But the message came from windowssecurity@private This raised his suspicion, since the details of the message header looked as if the message hadn't originated with Microsoft. When he and others on the list started investigating the matter further it got even fishier: Surf to email.microsoft.com and you arrive at a page on the site of Digital Impact Inc. According to the page, "Digital Impact is the premier provider of online direct marketing solutions for enterprises. We send permission-based online direct marketing campaigns on behalf of our clients. You may have landed on this page as the result of a server error or an invalid URL." I received the message too, but had immediately deleted it without much scrutiny because I had already applied the patch. Confusion reigned on the thread for a while, but it didn't take long for someone to find Microsoft's explanation of its relationship with Digital Impact. It seems that Microsoft uses Digital Impact to send out some of their broadcast mail messages. Microsoft's explanation also calls Digital Impact "the premier provider of online direct marketing solutions for enterprises." Now, Digital Impact has a bit of a reputation though among e-mail and newsgroup administrators. If you read the news.admin.net-abuse.* newsgroups and search for Digital Impact, you'll find a lot of references (and many thanks to Thor Larholm for the reference and other contributions to the thread). At the same time, other things were wrong with the message. Firstly, it wasn't digitally signed, in violation of Microsoft's own policies; in fact, Microsoft warns users to look for this as a sign of hoax messages. In addition, the links in the message to the patch site give the appearance of going straight to Microsoft's site, but in fact redirect through a link at email.microsoft.com. It uses some funny code, indicating that Digital Impact is tracking users response to the message. This is also a major no-no! Here's an example of the code: <A HREF="http://email.microsoft.com/m/s.asp?HB9706797779X2612303X228387X"> http://www.microsoft.com/security/security_bulletins/ms03-026.asp> A Microsoft rep on the microsoft.public.security newsgroup said the message was not a hoax. I might be naive here, but I'm inclined to give Microsoft the benefit of the doubt. After all, it is a big company and whoever is in charge of dealing with spam doesn't know about this relationship. But on the other hand, it's hard to look at Microsoft's description of their relationship with Digital Impact and believe they didn't know who they were dealing with. "THE premier provider of online direct marketing solutions for enterprises"? Sounds like Internet marketer code words for "spammer" to me. Security Supersite Editor Larry Seltzer has worked in and written about the computer industry since 1983. More from Larry Seltzer • Microsoft Security Notices: A Double Standard on Spam? • Black Hat: Security Conference or Burglar School? • Even Antivirus Scanners Make Mistakes • Put Antivirus Protection Where it Belongs—On the ISP • The Doomsday Machines of Malicious Software Jim Wood jwood@private MW Technology Group Inc DBA: Zebra Computer Repair & Networking 360-736-7000 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.509 / Virus Database: 306 - Release Date: 8/12/2003
This archive was generated by hypermail 2b30 : Tue Aug 12 2003 - 18:55:05 PDT