File delivery site Sendspace has said it isn’t worried about a huge email spoofing issue with its free service – because legitimate businesses don’t use it.
Sendspace seems to be increasingly used in attempts to deliver dirty-looking files in phishing attacks, and the company has informed us that no plans are in place to prevent people from spoofing their email addresses through the site.
As services such as Gmail get better at automatically scanning attachments for viruses, it’s increasingly becoming necessary for miscreants to find other means of delivering malicious files to victims.
File hosting sites and services such as Kim Dotcom’s Mega and Sendspace offer locations to store the nasties, and Sendspace’s share files feature allows users to send an email through Sendspace to whatever email address they want, from whatever email address they want.
Sendspace File Delivery Notification:
You’ve got a file called secret_doc.pdf, (81 B) waiting to be downloaded at sendspace.com (It was sent by firstname.lastname@example.org).
Description: This is a secret document of news value which I am giving to The Register.
You can use the following link to retrieve your file: https://www.sendspace.com/file/*obscured*
Sendspace responded to The Register’s enquiries to confirm: “We do not verify an unregistered user’s email address or the address they want to send links to.”
The service explained that it was not intending to introduce any authentication requirements for the
from field of its emails, although a spokesperson added that “our tech team is going to create a system where specific sender email addresses can be blocked if it is reported they are being abused.”
This security feature would be added soon, Sendspace told The Register, before continuing to suggest that phishing through its service could not be considered a threat as legitimate business users simply wouldn’t use its free service.
“In specific regard to phishing, it is unlikely a legitimate business or service would ever send emails using our generic email address – our business user accounts send emails using the account holder’s email address in the ‘from’ field, and these addresses are always verified in advance,” they informed The Register. ®