EUMY Behind The Net

What is SPAM?

"Unwanted email" - generally originating from an obscured server, making tracking of source difficult.

How do people send SPAM?

1. Open Mail Relay or Proxy - servers that are (mis)-configured to allow mail without authentication

2. Trojans/worms that infect PCs and send mail

The legitamcy of email - things to check:

Is the email server real and registered?

dig -t MX whatever.com

nslookup names to see if IP numbers and names match

Email headers

All email has standard headers - part of the mail protocol.
Check your email client for the option to allow viewing full headers.

Identifying SPAM emails

Problem: How do you identify SPAM?

Where do you draw the line?

However, major issues with SPAM or unsolicited email:

* Waste of bandwidth and disk space
* Increased administrative costs with filters, blackholes and such like
* Offensive material - does anyone have the right to send you pornography
* Impact on children - what is acceptable behaviour
* Misuse of your email address leading to rise of distrust
* Damage to individual PCs and costs involved
* Compromise of secondary MX servers and reduction in redundancy

Let's look at some examples of suspect emails:

Note: to track emails you will need to use some of the tools introduced in the Domain Name System section.

In particular you will need the web sites for Dig and be able to use the nslookup command.

Some of the web sites will also help you check is an email is suspect by allowing you to put the IP number into their search field. You can get the IP number of the sender from the Received line in the header as shown below.

Have a look at the Received lines in bold below - they are the real source of the emails

1. Multiple Received lines and obscured source IP

Normally there should be only one " received". This email has several, indicating that it was bounced through different systems to try and hide the origin.

Return-Path: <miwanil@hotmail.com>
Delivered-To: damian@dlk.com.au
Received: from host82-65.pool80180.interbusiness.it (HELO 24.73.148.177) (80.180.65.82)
Received: from [183.62.39.149] by m10.grp.snv.yahoo.com with QMQP; Apr, 24 2007 8:42:29 PM -0000
Received: from unknown (149.89.93.47) by rly-xr02.mx.aol.com with NNFMP; Apr, 24 2007 7:34:32 PM -0700
From: PeakPerformance <miwanil@hotmail.com>
To: damian@dlk.com.au
Subject: Strategies To Develop Your Ultimate Potential
Sender: PeakPerformance <miwanil@hotmail.com>
Mime-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Date: Tue, 22 Apr 2003 21:43:52 -0700
X-Mailer: The Bat! (v1.52f) Business
Message-Id: <20030423043840.EA63C570011@tuan.dlk.com.au>

2. Multiple obscured source addresses - harder to track. Misuse of MIL network?

Return-Path: <adelaeb33@yahoo.com>
Delivered-To: damian@dlk.com.au
Received: from postoffice.telstra.net (postoffice.telstra.net [203.50.2.115])
by tuan.dlk.com.au (Postfix) with ESMTP id 4E1A7570011
for <damian@dlk.com.au>; Mon, 7 Apr 2003 21:51:12 -0400 (EDT)
Received: from 211.144.88.72 (CacheFlowServer@wcsssp1.ncr.disa.mil [209.22.88.24])
by postoffice.telstra.net (8.12.6p2/8.11.1) with SMTP id h381s5Lt042966
for <damian@dlk.com.au>; Tue, 8 Apr 2003 11:54:06 +1000 (EST)
(envelope-from adelaeb33@yahoo.com)
To: Damian@postoffice.telstra.net
X-MSMail-Priority: Normal
Subject: Damian Music Mp3 Better than Napster
Message-Id: <4y4u4e8ipfgvcwsb1y5k$9vesgj$4hjajx33.adelaeb33@yahoo.com>
X-Mailer: AOL 8.0 for Windows US sub 230
Content-Type: text/html; charset=iso-8859-1
Received: from 211.144.88.72 by 95953v9p.211.144.88.72 with SMTP for Damian@Damian; Mon, 07 Apr 2003 21:58:22 -0500
X-Priority: 3 (Normal)
From: adelaeb33@yahoo.com
Date: Mon, 07 Apr 2003 21:58:22 -0500
X-Sender: adelaeb33@yahoo.com
Content-Transfer-Encoding: 7BIT

Remember - the layout of different suspect emails may vary depending on what the spammer does, and maybe how your email server handles the mail. So, take the above examples as a guide and work from there. In any case, tools like Dig and nslookup will always help!

Using your own email client, view the full headers of the email as shown above.

Select two emails - one from a legitimate sender and one from a suspect sender.
Compare the two emails. Can you tell the difference?