21

spammimic.com offers a service that 'encrypts' your mail as 'spam', the rationale being that all mail services automatically filter out spam, and so if you're wanting to communicate with someone without an eavesdropper noticing, disguising your message as spam will do this.

Is there any evidence that this would actually work though? In order for your message to get through, it would have to be sufficiently not like spam in order not to be deleted outright. Assuming you send it from your own account, headers etc. will be intact, and isn't this the first thing that spam filters check? Wouldn't it be the first thing the eavesdropper would check too?

In short:

Dear Friend , Especially for you - this red-hot announcement
! If you no longer wish to receive our publications
simply reply with a Subject: of "REMOVE" and you will
immediately be removed from our club . This mail is
being sent in compliance with Senate bill 1621 ; Title
1 ; Section 309 . This is NOT unsolicited bulk mail
. Why work for somebody else when you can become rich
within 61 DAYS ! Have you ever noticed nobody is getting
any younger and people are much more likely to BUY
with a credit card than cash . Well, now is your chance
to capitalize on this ! We will help you SELL MORE
& use credit cards on your website . You are guaranteed
to succeed because we take all the risk . But don't
believe us ! Mrs Ames who resides in Delaware tried
us and says "I've been poor and I've been rich - rich
is better" ! We are licensed to operate in all states
! Do not go to sleep without ordering . Sign up a friend
and your friend will be rich too ! Cheers . Dear Friend
; Especially for you - this cutting-edge intelligence
! This is a one time mailing there is no need to request
removal if you won't want any more ! This mail is being
sent in compliance with Senate bill 2416 , Title 3
; Section 302 ! This is not a get rich scheme ! Why
work for somebody else when you can become rich within
71 weeks ! Have you ever noticed society seems to be
moving faster and faster and most everyone has a cellphone
! Well, now is your chance to capitalize on this !
We will help you SELL MORE and increase customer response
by 170% ! You are guaranteed to succeed because we
take all the risk . But don't believe us . Mr Jones
of Georgia tried us and says "Now I'm rich many more
things are possible" ! This offer is 100% legal ! So
make yourself rich now by ordering immediately ! Sign
up a friend and you'll get a discount of 60% . Best
regards !

fredley
  • 1,455
  • 1
  • 16
  • 25
  • 5
    *Is this a good idea?* –  Dec 09 '14 at 11:19
  • 10
    Using spam actually for some good? I like it! – Martijn Dec 09 '14 at 12:30
  • 2
    There are two approaches to measure the efficiency of steganography: `1.` What is the ratio between payload bits and message bits. `2.` How likely is somebody to notice that a hidden message exists. I think your approach doesn't fail completely in either area, but I think an attached image file would beat yours on both measures. – kasperd Dec 09 '14 at 16:37
  • 5
    Spamcryption : encrypt your email like you would usually do, then paste it into this tool and finally enjoy your spamcrypted email. –  Dec 09 '14 at 16:44
  • 3
    I read the whole thing to try to see if a message was in there. – Panzercrisis Dec 09 '14 at 16:49
  • 1
    "In order for your message to get through, it would have to be sufficiently not like spam in order not to be deleted outright" - If someone is trying to receive a message disguised as spam, wouldn't they think to turn off their spam filter? (Or look in their spam folder, effectively bypassing it) – user253751 Dec 10 '14 at 04:01
  • Probability of standard mail getting intercepted by NSA: very low. Probability of spamcrypted mail getting blocked as spam: not so low. This is ridiculous. Plus there's no assurance of strong encryption, they risk a [MitM](https://en.wikipedia.org/wiki/Man-in-the-middle_attack) with that self-signed cert, and you have to trust that they don't log *everything*. Here's a gem from their FAQ: *Sorry, contact form disabled due to spam.* – Adam Katz Mar 26 '15 at 21:51
  • @AndréDaniel: the smallest securely encrypted content would be too large for that form (see the FAQ), so you can't do that. You have to trust whatever encryption they use, which is pretty much guaranteed to either be weak or entirely absent. You're far better off using steganography to stuff an encrypted message into an image and attach it to an apparent spam. – Adam Katz Mar 26 '15 at 21:57

4 Answers4

22

It would help if you elaborated on if you are defending from a targeted attack or just being cautious, and what vector the potential adversary would be using to eavesdrop.

That being said, the method you are referring to is called 'security through obscurity', and is

"… discouraged and not recommended by standards bodies."

I would say that is putting it nicely. Security though obscurity is very BAD (on it's own).

Try watching this video from Def Con 21, told from the perspective of forensic investigators. They show several examples of why security through obscurity is a bad idea. You can also get an understanding of the capabilities of the tools used by forensic investigators.

cremefraiche
  • 2,173
  • 12
  • 24
  • 7
    This form of steganography is NOT security through obscurity. The assumption is that you have already encrypted your message and are now changing the encrypted message into something that looks like spam. – barbecue Dec 09 '14 at 20:30
  • 17
    The notion that security through obscurity is inherently negative, and should be avoided in and of itself, is incorrect. The use of security through obscurity INSTEAD of stronger methods should certainly be avoided, but there is no harm in adding additional levels of obfuscation to a message when your objective is to go unnoticed, rather than to prevent decryption. – barbecue Dec 09 '14 at 20:35
  • 2
    There is no assumption of encryption. As pointed out by Philipp, this method is encoding/decoding, not encyption. Furthermore, any adversary with knowledge of this obfuscation method knows exactly what signatures to look for. This would then cause the message to be immediately inspected, where a valuable plaintext message would still be found, but presumably with further inspection. – cremefraiche Dec 10 '14 at 06:07
  • 1
    @barbecue: There _is_ certainly harm in this method. By producing spam (whether it's real spam or artificial spam) you are stealing from me and from everybody else. Mail servers spend additional time scanning your spam, and heuristics suffer. That inevitably results in more _real_ spam getting through, which means stealing my bandwidth and time (and everybody else's). If you send a stegano-image, on the other hand, you're wasting your provider's bandwidth, _but you pay for that_ (and the other end's bandwidth, _but they want that_), so it's a somewhat different thing. – Damon Dec 10 '14 at 16:10
  • @Damon I think you're completely misunderstanding the nature of this. Nobody is actually sending spam. They're not actually spamming people. They're making the message RESEMBLE spam, so that a casual inspection of the recipient's mailbox will show what LOOKS like spam. At NO TIME did anyone suggest actually using unsolicited bulk email. – barbecue Dec 11 '14 at 20:36
  • @cremefraiche My assumption, on reading about this service, was immediately that the purpose of it was to OBFUSCATE an ALREADY encrypted messsage, so that the encrypted message would look less like an encrypted message. At no time did it enter my mind that this would be a substitute for encryption. Apparently I'm in the minority, as that seems to be the prevailing opinion. I never implied or suggested that this approach, by itself, was secure, as it is quite obviously not. But it does provide a level of camouflage. – barbecue Dec 11 '14 at 20:45
  • 1
    The blanket statement "security through obscurity is bad" is incorrect and a misrepresentation of what is intended. Security through obscurity is only bad when this is the only security control used. Provided obscurity is used in conjunction with other controls, it is not only legitimate, but extremely useful. Just don't rely on it as your only level of protection. – Tim X Dec 11 '14 at 21:58
  • @TimX This is highly debatable. As I have mentioned earlier, if an adversary has prior knowledge of this obfuscation method, or any obfuscation method used, which any competent one would, the adversary would be able to segregate traffic matching these signatures immediately. As shown in the Def Con video I linked to, when forensic analysts are looking for data, poorly obfuscated data stands out and they investigate it first. In this case, using this obfuscation method will have only negatively impacted the user. – cremefraiche Dec 12 '14 at 01:06
  • From the application site: "Your messages will be safe and nobody will know they're encrypted!" - So, not intended to be used as your only security solution, but as an additional layer. – Cleber Goncalves Dec 15 '14 at 14:30
13

The problem with this technique (with any kind of steganography, actually) is that it relies on security through obscurity.

An eavesdropper who is aware of spammimic.com could easily train their surveillance system to recognize patterns which are typical for messages generated by spammimic, log them and extract their hidden payload.

By the way: Using the word "encryption" in this context is technically inaccurate. An encryption always requires a secret key. When no key is required to "decrypt" the message, like in this case, the correct terms are encoding and decoding. A message which is encoded but not encrypted is not secure against eavesdropping because an attacker only needs to know the algorithm.

Spammimic also offers a variant which requires a password, which adds an encryption layer to the encoding layer. Would the encryption algorithm be a strong one, this would potentially allow confidential communication, but they admit that it is a very weak encryption not fit for serious use.

Conclusion: Spammimic.com is an entertaining toy, but nothing you should use for any serious confidential communication unless you encrypt your payload with a serious encryption algorithm before encoding it.

Philipp
  • 48,867
  • 8
  • 127
  • 157
  • In other words: You can use it, but only if you use serious methods first. Which basically means: No point of using it. Or Rot13 it at least :P – Samuel Dec 09 '14 at 14:21
  • 3
    The point in using it is to make it non-obvious that you are sending encrypted data. – barbecue Dec 09 '14 at 20:32
  • 1
    @barbecue 1. as I said, when the eavesdropper is aware of the steganography system you are using, it is obvious for them that you **do**. 2. when you use proper encryption, the knowledge that you are sending encrypted data is worthless, because there is no way to crack it before the end of the millennium. 3. when you think that usage of encryption itself is a sign that you have something to hide, it just means that people should use much, much more encryption. – Philipp Dec 09 '14 at 20:43
  • 1
    @Philipp The knowledge that you're sending encrypted data isn't worthless if someone can beat you with a rubber hose, you promised not to send encrypted data on a given network, or you promised not to contact the entity you sent encrypted data to. – Doval Dec 10 '14 at 14:00
  • http://xkcd.com/538/ – barbecue Dec 11 '14 at 20:48
8

Using steganography instead of encryption is a rather bad idea, especially when the tool used is freely available. Anybody could use it to uncover the message.

However, simple encryption has a shortcoming when compared to steganography: Encrypted messages are usually identifiable as such, so while nobody knows what you send somebody, there is a proof you sent something.

If both confidentiality and deniability are desired, you can combine both approaches. Use a strong algorithm to encrypt the message, then conceal the ciphertext somehow. Ideally, this should be done by some software performing both tasks, since a PGP header encoded in what superficially looks like spam will costs you deniability if discovered.

In order for your message to get through, it would have to be sufficiently not like spam in order not to be deleted outright. Assuming you send it from your own account, headers etc. will be intact, and isn't this the first thing that spam filters check?

Of course, if you have a GMail account, you might not have the ability to decide which mails get rejected by their SMTP server. However, if you manage your own mail server, it's just a matter of configuration.

Dennis
  • 230
  • 2
  • 6
  • 4
    Steganography is to encryption as camouflage is to armor. One makes it harder to find you, the other protects you once you have been found. – barbecue Dec 11 '14 at 20:52
  • @barbecue, that was beautiful. However, while Spam Mimic appears to lack encryption, Dennis's answer suggests using both. A "better" implementation would be to use standard steganography to embed an encrypted message inside an image inside an apparent spam email. **Still, the major flaw of this system is that the recipient may not receive the email.** Of course, if the email is true spam, theoretically it'd get archived by spam researchers and now you've crowdsourced your data storage... – Adam Katz Mar 26 '15 at 21:27
1

Whether this is a good idea or a bad idea really depends on what your requirements are and what threats/risks your trying to protect against. I think there are some signficant limitations with the practical aspects of this approach, such as ensuring your messages looks enough like spam that it is obscured, but not so much like spam that your recipients anti spame software doesn't just delete it or refuse to accept it etc.

If we assume these issues have been addressed, the question then becomes one of determining exactly what your trying to do. If all you want to do is obscure the fact you are communicating with someone else, then it might provide some use. On the other hand, if you want confidentiality, then this probably wouldn't be sufficient in itself. You might have to use it in conjunction with other measures. For example, you may need to first encrypt the original message using some agreed upon scheme and then put that inside the encoded message.

The main point to remember is that security needs to fit with the purpose and assessed level of risk. In general, you want to be clear about why your taking some action. If you want confidentiality, then you will normally need some kind of encryption. If you want integrity, then you will probably want some fom of hashing and if you just want to hide something, then perhaps some form of stenography. If you want all three, then you will need to apply all three techniques. Ignoring some of the practical aspects of this technique, all you are really doing is hiding it. If someone knows where to look, they will likely find it.

A number of responses refer to security through obscurity and state that it is bad and should not be used. This is an over simpificaiton and similar to programming statements like "goto is bad and should never be used". In reality, none of these things are inherently bad in themeselves - they are only bad when used inappropriately. Using obscurity is fine provided other measures are taken. It is not fine when you rely solely on it to provide full protection. Running ssh on a non-standard port is obscurity, but is fine because it is not the only level of protection. running plain telnet or ftp on non-standard ports is not fine as you are only relying on the obscurity to make them secure.

Tim X
  • 3,242
  • 13
  • 13