The Science of SPAM

In order to understand a SPAM message and how to best prevent them, one needs
to know a little bit about how an email works in general. One doesn’t usually
think about it. They just type their message along with a "to" address,
and it miraculously arrives on the other end. But, how does that work? Well,
ironically, one can compare it to postal mail, in a way. When you send snail
mail, you have the message in an envelope. The envelope has a return address
and an address to send it to. You put it in your mailbox, the postman picks
it up, and it is sent. The postal service is the relay for the message, and
your letter moves through the system, from terminal to terminal, until it arrives
at the recipient. Email messages, too, contain a header which serves as the
"envelope" for the message. It contains the sender’s name, the return
address, the subject line and where the message is going, along with a bunch
of other information. When you send the message, it is sent via a mail host
server. It uses a protocol called SMTP to transfer the message. It transfers
over the internet, each mail server it hits reading the headers and moving it
along. It finally reaches a mail host at the recipient’s ISP, where it sits
until the recipient logs on, checks their email and downloads it from the server.

To demonstrate, I sent a message from myself to myself and below are the headers
for that email:

by qs194.pair.com with SMTP; 17 Jan 2005 15:14:23 -0000
Received: (qmail 87092 invoked from network); 17 Jan 2005 15:14:22 -0000
Received: from unknown (HELO drisley) (unknown)
by unknown with SMTP; 17 Jan 2005 15:14:22 -0000
X-pair-Authenticated: 67.8.75.220
From: "David Risley" <drisley@pcmech.com>
To: <drisley@pcmech.com>
Subject: hello
Date: Mon, 17 Jan 2005 10:14:15 -0500
Message-ID: <040e01c4fca7$355c83d0$6601a8c0@drisley>
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.2616
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Importance: Normal
X-Spam-Filtered: 0dcc1a651a10c4b8d1dd774df3024376
X-Spam-Status: No, hits=-2.4 required=3.5 tests=SUB_HELLO,BAYES_00
X-Spam-Flag: NO
X-Spam-Level:

How, some of these headers are not very important to the discussion at hand.
But, some are very important to your understanding of SPAM. These are:

Return-path. This is the email address from which the email was sent. Most
of the time, this is a more trustworthy indication of the sender, because
it is very easy to manipulate the headers for "From". However, it
is still possible to forge the return path, so in the case of SPAM, it cannot
really be trusted.
From. This contains the name (in quotes) and the email address of the sender.
This information is controlled by the email client and can be very easily
altered. In other words, just because an email has "Paypal" as the
From name, don’t assume it came from Paypal.
Received. This fields describes the routing of the email message from the
sender to the recipient. Each line of the header marked "Received"
marks a bounce in the path that email message took to arrive to you. In the
example above, you can see that the number of bounces is very low and that
is simply because I was sending the message to myself. In other cases, you
may have more bounces. In the case of SPAM, you can sometimes use this information
to see where a message came from. I say "sometimes" because not all
mail hosts actually add their record to the headers as the message goes through
them, so sometimes this record is not a complete picture of the path the email
took. Lastly, one often sees the word "HELO" in this field. This
represents the name that the sender reported into the SMTP server when they
signed on to send the mail. It can be forged so this is not accurate.
X-Mailer. This is a record of the software which was used to send the email.
Reply-To. This is the name and email of where an email message would be
sent if you hit the Reply button in your email client. This information is
very easy to alter, but at the same time, you can look for instances where
the From data does not match the Reply-To data.
Date. This is simply the timestamp for the message, or when it was sent.
The stamp is relative to GMT and will contain an offset. In the example above,
you can see the offset is -500, meaning 5 hours off GMT. This is because I
am located in the Eastern time zone. It is set by the mail host’s internal
clock which may or may not be set correctly. Also, in the case of SPAM, you
can look for date headers which are messed up. They can possibly give a time zone
offset which places them in the middle of an ocean, or use a mangled timestamp
that just doesn’t fit the correct format (for example a year beginning with
0).

Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

Like what you read?

If so, please join over 28,000 people who receive our exclusive weekly newsletter and computer tips, and get FREE COPIES of 5 eBooks we created, as our gift to you for subscribing. Just enter your name and email below: