We've always been told that trying to "opt-out" from spam messages is probably a bad idea. Spam filtering firm MessageLabs now says there's a new reason not to click -- spammers are starting to sneak special code into that opt-out link which turns the spam recipient into an unwitting accomplice. The link is really a clever trick designed to turn the victim's computer into a zombie that can be used to send out more spam.
"By using an unsubscribe link in an e-mail, not only are you saying this is a live e-mail address, you are also have the risk of downloading a Trojan that turns your computer into an open proxy for sending spam," said Brian Czarny, MessageLabs spokesman. The company has trapped several thousand messages laced with the special code in recent weeks, Czarny said.
Other variations of the attack place keystroke loggers on victims' computers, he said, enabling the spammer to collect personal information -- including passwords and financial account data - from the victim.
Spam continues to be an incredible nuisance for Internet users. MessageLabs says now 72 percent of all e-mail flying around the Internet is actually spam.
For years, experts have debated the real-life effect of clicking on unsubscribe links usually found at the bottom of spam. The links are now required by federal law, but conventional wisdom suggests "opting out" often has the opposite effect, because it announces to the spammer that the e-mail address is accurate and active.
That theory was partially debunked in July 2002, when the Federal Trade Commission announced results of a comprehensive study on spam. It found replying to opt-out messages didn't increase the amount of spam received, and usually, the links were broken, or sent messages to dead e-mail accounts. And on occasion, replying to the opt-out link actually did work, and result in less spam.
But the MessageLabs announcement regarding opt-out links gives consumers a whole new reason to not trust anything found inside a spammer's message.
It's easy for programmers to write tricky e-mails that send users to unexpected Web sites. A message might have hyperlinked words reading "http://MSN.MSNBC.COM," for example, but hidden computer code could really send the recipient to an entirely different site.
That's what's happening with these new opt-out messages, Czarny said. In some cases, the link simply aims potential victims at an executable file -- a Trojan horse program sitting in a hidden location on the Internet. In others, slightly more elaborate techniques are used to inject code onto a machine after it is directed to a Web site.
"And there are definitely more complex versions of this we're starting to see," he said.
Either way, high security settings in Web browsers will protect most consumers from downloading unwanted software; updated anti-virus software and firewalls can help, too. But the only sure-fire protection: Just delete the spam right away.