This year we have seen an increasing trend in spam from hacked domains.
This is where the spammer hacks into a third party web site and places a file or script there that will redirect traffic to their web site. The web site continues to operate as usual, except that one or more URLs have been compromised. These are then used by the spammer to hide the call to action in the spam they send out. Instead of a link to GetYourViagraHere.com the link in the spam email is to PerfectlyInnocentWebSite/directory/random.html which redirects to GetYourViagraHere.com.
This is obviously bad news for the owner of PerfectlyInnocentWebSite.com. Not only are they likely to get an unexpected burst of traffic which may reduce performance on their server or incur additional bandwidth costs, they suffer the potential difficulty of their web site being associated with spam and may even find their legitimate emails being blocked. Nobody is immune to this. We’ve seen schools, restaurants, small businesses and churches have their web sites hacked. In one case a company offering security services was notified that their web site had a page redirecting to a porn web site, which is not the greatest advertisement for their business.
If you have a web site, what can you do to make sure it isn’t compromised? First of all, make sure that your server software is up to date and has all the latest security patches. The vast majority of compromised machines are not due to zero day exploits for which there is no defense, they are due to attacks for which a patch exists but has not been applied to that particular machine. Remember you need to keep your entire software stack up to date, including scripting languages, frameworks and database.
You should also monitor your server logs to see if your site has been hacked. You can do this even if it is hosted on a third party service where you have no control over the software. Check for spikes in activity. Look for pages that suddenly become active, especially if you don’t remember adding them to your web site. Also, check your referring pages . Links from emails will either have a blank referring page, or will come from the URL of a webmail client. If you see a large number of referring pages where there is the string “mail” somewhere in the URL, take a close look at where that traffic is going. These sorts of checks are easy to automate, and a daily or hourly cron job looking for unusual activity of this type could save you a lot of pain.
Cloudmark’s filtering system is smart enough to tell the difference between a hacked domain, where we will block only those emails featuring the compromised URLs, and a rogue web site, where we will block all emails linking to that domain. However, all spam filters are not created equal. If your domain is hacked you could well fall foul of less precise filters and have your legitimate emails blocked, not to mention the fun of having to explain to your clients/pupils/parishioners why your web site is promoting Viagra or naked coeds. So, make sure your server is secure and keep an eye on those logs.