Spam

Protection Where it comes from E-mail headers

The single greatest causeof virus spreading is from opening email attatchments. Those screensavers, patches and other files sent from friends or from anonymous people. Sure the screensaver may work, but in the background it is infecting other files on your computer. Or, sometimes an email may be forwarded around stating that a virus may be on your computer, when really there is not. This may cause damage, the email may contain instructions to remove a needed Windows file. To an extent, forwarding emails itself is a virus, stating 'Forward this email to everyone you know'. This kind of virus does not use the computer to spread, it uses its readers. There are a few viruses out there like Netsky.V which have the ability to download themselves onto the computer without even opening the attachment.

If you have an AOL, Hotmail or Yahoo email address, no doubt you constantly receive spam email. Email from anonymous people and often email addresses that do not even exist. Often your email address is found by bots that scan through guestbooks and forums that search for email addresses. Your email address is then added to the list. A simple defense for this is to insert something into your email address so that it will be invalid, but a user will be able to recognize what has been inserted. For example, changing bradfocht@hotmail.com to bradfochtNO@SPAMhotmail.com. This will throw off automated bots.

If you are a subscriber of Access Communications there are a few features on the mail servers you should know about. The first one is spam filtering. This is a customizable feature on everyone's account. The mail servers scan every incoming email and are looking for virus' and characteristics and keywords common in spam email. For each of these characteristics and keywords found a point is assigned, the more characteristics, the higher the score. And virus' are blocked altogether. A new line is then added to the header of each email looking something like this:

X-Spam-Score: (0.859) HTML_50_60,HTML_MESSAGE
X-Scanned-By: Access Communications spam and virus filter

To set up your account go too account.accesscomm.ca, log in and select the Configure spam filter option and select advanced. You will be given a selection of the numbers 1 to 12. Remember, the lower the number you set, the more restrictive the scanning will be, and once an email has been determined as spam it is gone. The maximum recommended setting is 4, so start at 7 and work your way down.

On the outgoing mail servers there are a few things to keep in mind. If you try to send an email with 25 recipients addressed in the TO: field, you will be unable to send the email. This is because the outgoing mail server has been set up to block mass mailing virus'. This is an attempt to block virus' from mass mailing themself and to cut down on spam. Another thing to keep in mind is that there is a limit to the number of emails you can send in a day. The number of emails you have sent in a day is reset to 0 at 12midnight every day. This number is extremely large though, so if you ever do reach it, there is a good chance that your computer has a mass mailing virus that is sending emails out without your knowledge.

Where Spam Comes From

Spam email use to be sent by people simply emailing out an email to many recipients. However, in this manner it was easy to find out who sent the email and complain and have that email stopped. Complaints would reach the spammers internet service provider (ISP) and the angry ISP would put an end to the spamming.

Spammers started using a disposable dial-up accounts. They would sign up for a dial-up internet account, send their spam and cancel their account before complaints reached the ISP. ISP's started catching on however and kept track of accounts, so once you had been tracked as a spammer, ISP's would exchange information and would not allow you to set up an account with them. The other problem with this was that it was slow sending massive amounts of email on a slow internet connection.

Rather than sending email through an account, spammers started sending spam email through SMTP mail servers on the internet. There was no authentication on mail servers, they acted as an open relay, if you had mail, you could send it on any mail server anywhere in the world. Spammers could now give a single copy of an email to an SMTP server, give it multiple recipients, and let the mail server do all of the processing. However, ISP's began blacklisting SMTP mail servers known for spam. The ISP which had the blacklisted would usually fix the problem by tracking down the account which was sending spam email and cutting it off. Spammers responded by creating phony headers to try and obscure where the spam came from. The SMTP servers also logged the IP address of where the spam came from though, so there was no hiding, spammers were stopped and continued to create new accounts and start again.

Hackers for a long time had attacked computers, taken them over, and then used those computers to hack other computers to hide their identities. Hackers started installing Proxy servers on these computers, and then used these victims computers to send out spam. Open Proxies

Headers

Emails contain headers, these headers contain where the email came from, where it went and where it is going. But this is often tampered with so that you will not be able to complain to them or to report them for their abuse of email. Here is an example of a tampered header from a hotmail account:

X-Message-Info: h+6KN57emckSlIiGuqJv647sjImvHHuiQKSwAK4zW/I=
Received: from mc4-f16.hotmail.com ([65.54.237.151]) by mc4-s9.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600);
	 Sun, 12 Oct 2003 11:45:47 -0700
Received: from 3383842455ufxqtwgpldjt.com ([69.47.43.85]) by mc4-f16.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600);
	 Sun, 12 Oct 2003 11:45:30 -0700
To: <brulysus42344@hotmail.com>
From: "This is totally " <npotxrhwtryamsm@tovkvnueppujbnk.com>
Subject: out of hand!
Date: Sun, 12 Oct 2003 14:51:03 -0400
MIME-Version: 1.0
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Return-Path: npotxrhwtryamsm@tovkvnueppujbnk.com
Message-ID: <MC4-F16ajJWCfgYu72C00043e0e@mc4-f16.hotmail.com>
X-OriginalArrivalTime: 12 Oct 2003 18:45:30.0968 (UTC) FILETIME=[03143580:01C390F1]]
In the To line, it is directed to brulysus42344@hotmail.com. But this is not my email address, after trying to send an email to this address I discovered it does not even exist. So, why did I get it? Because there is a field, Blind Carbon Copy (BCC) which allows you to enter email addresses but does not display them in an email header. Within this field the spammer has probably entered a hundred addresses (hotmail does not allow more than a hundred recipients for a single email). These addresses were either randomly generated and most do not exist, or the addresses were collected from various forums or any place on the internet that I have written my email or posted it even from guestbooks.

Now, look who sent it, npotxrhwtryamsm@tovkvnueppujbnk.com. This email address seems to be nothing more than a random entry of letters. There is no legible name. Obviously this has been forged. This email address appears in the Return path as well. So, if we were to reply to this email, you would receive a reply from the mailer daemon that the email could not be sent. Sometimes spammers will put a valid email address in this field. There are two reasons why you should never reply to spam, even to ask to be removed from their mailing list. First, replying only verifies that your email address is real, active and you are reading their email. Thus, they will send even more and give, or sell, your email address to other spammers. The second reason is that the email address may be an innocent person who has had nothing to do with the spam. Thus, you will only be complaining to a person who has nothing to do with the spam email you recieved.

To track down where this email actually came from we use the Received lines. The first Received is the last step before the email was received by us. Notice the mail was sent from mc4-s9.hotmail.com to mc4-f16.hotmail.com, these are Microsoft's mail servers. The Second step: 


Received: from 3383842455ufxqtwgpldjt.com ([69.47.43.85]) by mc4-f16.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600);
	 Sun, 12 Oct 2003 11:45:30 -0700
Hotmail received the mail from the server 3383842455ufxqtwgpldjt.com. This is most obviously randomly pushed buttons on the keyboard. But the IP address logged is always correct, you can not tamper with the IP address. Doing an NSlookup on the server reveals that the real name of the server 69.47.43.85 is actually d47-69-85-43.col.wideopenwest.com. This SMTP server is acting as an open relay, at the time of writing this, I could just as easily send spam through this mail server as the person who sent this spam did.

We can go a step further, we can do a whois query on this IP address at ARIN to find out more information. It turns out that this ISP is in Columbus Ohio, on 4822 Indianola Ave. There is also an abuse email address provided in the information turned up by this query. All I need to do now is to forward this email to this abuse address and Wide Open West would resolve the problem.