Sophos Warns Against Tribute E-Mails

Virus, spyware and spam analysis firm Sophos Labs warned of a campaign to harvest e-mail addresses by attracting readers to Web sites offering topical video tributes through unsolicited e-mails.

Sophos monitored a trend in questionable sending around Sept. 14. It tracked e-mails containing video trailers offering tributes to 9/11 victims, tabloid celebrity Anna Nicole Smith and recently deceased “Crocodile Hunter” Steve Irwin.

“For a spam campaign to be successful, there has to be an effective social technique at work,” said Ron O’Brien, senior security analyst at Sophos, Boston. “Playing on emotion is a common trend, and 9/11 and Steve Irwin and Anna Nicole’s tragedies are examples of this tactic. We see this used a lot around Mother’s Day and other holidays.”

Within the e-mail, a teaser of the video is displayed, and it invites the receiver to click on a link to view the whole thing. On the site, visitors are required to give an e-mail address to watch the full tribute video. Users also may invite five friends along to view it, too, by providing their e-mail addresses to the unidentified site.

Mr. O’Brien challenged the method used for the initial e-mail generation. He said that most of these addresses that received the e-mails were gained from Internet scraping, or searching the Web for e-mail addresses listed on Web sites. His, for example, is listed on, as he often speaks to the press. His statement is based on Sophos’ ownership of an out-of-commission domain name that the company uses as a spam trap.

Though the e-mails are unsolicited, they do comply with the CAN-SPAM Act, Mr. O’Brien said. Fine print at the bottom of the landing page links to the site’s privacy policy, which states that the owners of the site have the right to market to the e-mail addresses given as well as to sell the personal information to third-party businesses.

He warned against opening such an e-mail, as it confirms to the spammer that the address is active. This increases its sale value.

“You should never buy anything, free or not, that was sent to you by an unsolicited e-mail,” he said. “If you hear of a product that you like in this way, then go to Google and search for it or go to a site you trust like to find it. Do not click through the e-mail to purchase, because that is condoning spam.”

Related Posts