As you've learned, spammers use the facilities in HTML e-mails to further their goals. Because almost every application that displays HTML pages uses the Internet Explorer COM objects, they're vulnerable to most of the same security flaws as Internet Explorer is itself. There have been many serious security vulnerabilities that Microsoft has patched, and many that still remain unpatched and exploitable. Chief among them is the IFRAME issue.

IFRAME, an abbreviation for Inline Frame, is a very simple way Web developers can include a Web page from a different location inside their own page. An in-depth discussion of IFRAMEs is beyond the scope of this lesson; however, the CNET Microsoft patches IE, Windows article contains some excellent further reading. Due to a security flaw within the Internet Explorer IFRAME system, a malicious HTML e-mail (or Web site) can bypass the built-in security. Under normal circumstances, the Security Zone system within Internet Explorer will prevent a remote server from gaining local privileges on your computer. Using a flaw in the IFRAME system, a remote server can perform any action on your computer by accessing the Local Zone with you doing nothing more than opening the e-mail or viewing the Web page.

Although Microsoft has released security patches for the IFRAME issue, further flaws still exist in this and other Internet Explorer features. Spammers can obtain even more information about you by exploiting these flaws through specially constructed HTML e-mails.

The moral of the story is, always make sure all your applications are up to date with security patches. Through the magic of COM objects, a security flaw in one product can easily affect others.

Self-Perpetuating Process

Unfortunately spam is something that will never stop. Companies and individual spammers make huge amounts of money by selling valid e-mail addresses to one another. Once a spammer gets a positive response, they can sell that e-mail address to other spammers as part of a validated e-mail list. Once your address is on one of these lists, it's impossible to remove it. As you may already know, clicking a link in the e-mail that purports to remove you from the spammer's list is a surefire way to receive even more spam.

Moving On

This lesson introduced you to the world of spam, and showed you that the issues are not quite as simple as everyone thinks. You saw how spammers track exactly what you do with their e-mail through the use of Web bugs and software vulnerabilities. You also saw an in-depth analysis of a common phishing e-mail, with all its tricks and hidden traps.

Be sure you understand the topics covered in this lesson, especially the more technical aspects of how spammers obfuscate their intentions: the assignment and quiz will give you some practical experience. The Message Board is always available for you to discuss the issues raised in this lesson and any other spam or spyware questions you have. Your fellow students and instructor are ready and waiting!

In Lesson 4, you'll see practical examples of how to manage and defeat the spam you already get, and avoid getting even more in the future. You'll also see how the spammers attempt to evade antispam systems to keep their spam flowing. Finally, the systems commercial organizations use to defend against spam will be touched on to give you a taste of how the people who get millions of spam e-mails every day deal with the problem.