McAfee says spammers are abusing the 'out of the office' auto-respond feature found in webmail services to make their messages appear to come from legitimate addresses.
The spammer first signs up for a legitimate webmail account, switching on its auto-respond feature, with the spam text in place of the 'out of the office' message.
The spammer then bombards the account with messages that have 'from' addresses spoofed so that they appear to come from the desired recipients. The automatic responses are then sent to the spoofed addresses.
The advantage of the system is that the spam all comes from legitimate webmail accounts, with safeguards such as DKIM, DomainKey or Sender ID in place, meaning that the messages are able to get around many of the protections in place against more conventional spam techniques.
The spammers are likely to use automation techniques for creating the accounts and setting the responder text, meaning large numbers of accounts are likely to be at their disposal, according to McAfee.
The company is currently blocking auto-responder spam by analysing header and message content.