In order to understand a SPAM message and how to best prevent them, one needs to know a little bit about how an email works in general. One doesn’t usually think about it. They just type their message along with a “to” address, and it miraculously arrives on the other end. But, how does that work? Well, ironically, one can compare it to postal mail, in a way. When you send snail mail, you have the message in an envelope. The envelope has a return address and an address to send it to. You put it in your mailbox, the postman picks it up, and it is sent. The postal service is the relay for the message, and your letter moves through the system, from terminal to terminal, until it arrives at the recipient. Email messages, too, contain a header which serves as the “envelope” for the message. It contains the sender’s name, the return address, the subject line and where the message is going, along with a bunch of other information. When you send the message, it is sent via a mail host server. It uses a protocol called SMTP to transfer the message. It transfers over the internet, each mail server it hits reading the headers and moving it along. It finally reaches a mail host at the recipient’s ISP, where it sits until the recipient logs on, checks their email and downloads it from the server.

To demonstrate, I sent a message from myself to myself and below are the headers for that email:

[hidepost=1]

Return-Path: <drisley@pcmech.com>
Delivered-To: pcmech-pcmech:com-drisley@pcmech.com
X-Envelope-To: drisley@pcmech.com
Received: (qmail 13463 invoked from network); 17 Jan 2005 15:14:23 -0000
Received: from relay01.pair.com (209.68.5.15)
by qs194.pair.com with SMTP; 17 Jan 2005 15:14:23 -0000
Received: (qmail 87092 invoked from network); 17 Jan 2005 15:14:22 -0000
Received: from unknown (HELO drisley) (unknown)
by unknown with SMTP; 17 Jan 2005 15:14:22 -0000
X-pair-Authenticated: 67.8.75.220
From: “David Risley” <drisley@pcmech.com>
To: <drisley@pcmech.com>
Subject: hello
Date: Mon, 17 Jan 2005 10:14:15 -0500
Message-ID: <040e01c4fca7$355c83d0$6601a8c0@drisley>
MIME-Version: 1.0
Content-Type: text/plain;
charset=”us-ascii”
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.2616
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Importance: Normal
X-Spam-Filtered: 0dcc1a651a10c4b8d1dd774df3024376
X-Spam-Status: No, hits=-2.4 required=3.5 tests=SUB_HELLO,BAYES_00
X-Spam-Flag: NO
X-Spam-Level:

Now, some of these headers are not very important to the discussion at hand. But, some are very important to your understanding of SPAM. These are:

1. Return-path. This is the email address from which the email was sent. Most of the time, this is a more trustworthy indication of the sender, because it is very easy to manipulate the headers for “From”. However, it is still possible to forge the return path, so in the case of SPAM, it cannot
   really be trusted.
2. From. This contains the name (in quotes) and the email address of the sender. This information is controlled by the email client and can be very easily altered. In other words, just because an email has “Paypal” as the From name, don’t assume it came from Paypal.
3. Received. This fields describes the routing of the email message from the sender to the recipient. Each line of the header marked “Received” marks a bounce in the path that email message took to arrive to you. In the example above, you can see that the number of bounces is very low and that is simply because I was sending the message to myself. In other cases, you may have more bounces. In the case of SPAM, you can sometimes use this information to see where a message came from. I say “sometimes” because not all mail hosts actually add their record to the headers as the message goes through them, so sometimes this record is not a complete picture of the path the email took. Lastly, one often sees the word “HELO” in this field. This represents the name that the sender reported into the SMTP server when they signed on to send the mail. It can be forged so this is not accurate.
4. X-Mailer. This is a record of the software which was used to send the email.
5. Reply-To. This is the name and email of where an email message would be sent if you hit the Reply button in your email client. This information is very easy to alter, but at the same time, you can look for instances where the From data does not match the Reply-To data.
6. Date. This is simply the timestamp for the message, or when it was sent. The stamp is relative to GMT and will contain an offset. In the example above, you can see the offset is -500, meaning 5 hours off GMT. This is because I am located in the Eastern time zone. It is set by the mail host’s internal clock which may or may not be set correctly. Also, in the case of SPAM, you can look for date headers which are messed up. They can possibly give a time zone offset which places them in the middle of an ocean, or use a mangled timestamp that just doesn’t fit the correct format (for example a year beginning with 0).

In the case of SPAM, much of this header information can be and usually is forged. For example, they can spoof the host name or the HELO when the message is sent. They can also add bogus “Received” lines to give the message a false routing history. The From names and return addresses are EXTREMELY easy to alter and any of us can do so right now by entering different names into our email profiles in our email clients (Outlook., Thunderbird, etc.). The HELO names are pretty easy to change given the right software, and the routing of the message can be forged as long as the computer that sends the mail is set to allow it.

Open relay servers or open proxies are usually free reign for this. An open relay is a server which will accept email from anyone to send to anyone. Basically, it acts as a public bounce point for all emails, and spammers can make ample use of them. In the earlier days, relay servers were everywhere, but as SPAM has become more of an issue, the pool of relay servers has dropped quite a bit. Most system admins now have some kind of security on their mail relay servers, usually requiring some kind of POP3 login from an allowed machine in the same domain before allowing mail through. ISPs do this routinely, meaning you must log in and check your email before you can send your email, thus giving the ISP proof that you are truly a customer of their’s before allowing you to use their relay server.

As relay servers have become fewer, spammers have found a more effective alternative, the open proxy, or sometimes called “Zombies”. Zombie machines are usually Windows-based machines belonging to innocent and unwitting home users who, due to lack of proper security, have left their computer open to the installation of special software (through the use of trojans, viruses and other such things). These machines are usually connected to the internet via cable broadband or DSL, which by their very nature, are always on. A PC connected this way with no security can be used to send spam all day long and the PC’s owner will never know its happening. The recipient of the SPAM sent through the machine cannot trace the message back any further than the zombie machine because the zombie can be set up to use “direct-to-MX” routing, whereby the outgoing mail is simply sent without any trace of the email in the zombie’s email log. In other words, if your PC was serving as a zombie, you would have no record anywhere of the outgoing emails. The FTC estimates that as much as 30% of all SPAM is sent through the use of zombies.

Some spammers use offshore ISPs to send their mail, usually because these offshore ISPs are not exactly reputable in many cases and, therefore, don’t implement proper security. In some countries, the system admins are just not as picky about their ethical standards. Plus, they are usually more in need of money and therefore will offer less secured accounts for less money. Popular sources for these accounts are China, South Korea, Indonesia, Malaysia, as well as countries in the Eastern Rim, South America and the former Soviet bloc. Sometimes as these countries find themselves trying to become more a legit member of the new information economy, they get more interested in controlling this problem and start playing nice with the rest of the internet. Other countries, though, don’t seem to change. China, for example, does not seem particularly interested in controlling their network traffic when it comes to spam, pornography, stolen software and other such items, while at the same time they move heaven and earth to keep their own citizens from accessing the internet with any freedom.

Another trick spammers use to send email is improperly secured form mail scripts. Form mail is the name for a specific program which accepts emails from a web-based form and delivers the results via email. There are many such scripts out there, though, other than Form mail. Many webmasters, though, will use forms to control their level of spam. Rather than display their email address publicly on the web (which leaves it open to email harvesters), they use a form. The website visitor fills in the form and when they submit it an email is sent behind the scenes to the webmaster. However, an improperly programmed delivery script can be open to being hijacked by spammers to send mail to anyone. And these server-based mail delivery scripts offer the programmer full control over the email headers, so a spammer who is able to take advantage of one can send their emails and those emails will not be traceable at all. Any form-to-mail script on the internet needs to be properly programmed to verify the originator of the data as well as keep a record of the originating IP address. Also, it is a good idea to NOT have the TO address of the email in the web form as a hidden field, but to instead have the TO address coded right into the script itself.

[/hidepost]

Like what you read?

If so, please join over 28,000 people who receive our exclusive weekly newsletter and computer tips, and get FREE COPIES of 5 eBooks we created, as our gift to you for subscribing. Just enter your name and email below: