IT Blogs & News - Written by IT Professionals - iuvo Technologies

Spam and Headers

Written by Bryon Beilman | Aug 10, 2007 1:02:17 PM

by Bryon D Beilman

I get asked many questions about mail and especially as it relates to spam.

  • How is the spam getting sent from an internal machine?
  • I got a return from a message that I didn't send, do I have a virus?
  • Why do I get spam about "Viagra/Porn/free money in Africa/stocks" ?
  • Everyone agrees that spam sucks the productivity out of the work force (except perhaps the spammers themselves). Unfortunately it has a multiplying effect. If an organization gets spammed, then the users spend time reading it, analyzing or reporting it. When it gets reported, the IT team has to analyze it, perhaps use it to train bayesian filters and determine if it poses any other risks (ie, does it have a virus, where did the email originate from?, etc).

    There are a few good services that I like and recommend, which I will mention briefly, but is not the focus of this blog. The open source project "Spam Assassin" works well and if you can control your own mail relay then this coupled with a good MTA (I like postfix), is a good start.

    If you need to scale and want to have a more sophisticated suite of anti-spam/anti-virus programs, I would recommend the Barracuda appliance, or the Postini Email service. One advantage of using a service (or an appliance at a co-lo) is that you can filter the email and viruses before they come into your WAN and thus freeing up network bandwidth that can be used for productive work.

    Back to my Questions:

    How do I get spam from inside the company (or even perhaps myself)?

    There are a few possibilities, but the two most common scenarios are.

    1) It is not coming from inside, but the email header is forged.
    2) It is coming from inside and someone on the inside has a virus that is sending to and from entries in their address book.

    How do you know?
    The only real way to know is to look at your email headers. If you use a UNIX/Linux email client then you may be used to seeing those headers, but they are generally now shown within Microsoft Outlook. To see the headers of a sent email, you need to do the following.
    With the message selected, right click and chose options. Under Internet Headers, there will be a box that shows how a message traveled.

    Below is a snippet from a real spam message (the domain name changed to protect the innocent). The message appears to come from Sam Spade (sspade@spamsucker.com), but in the email headers it is shown that it really came from bzq-88-155-208-114.red.bezeqint.net . So fred@spamsucker.com thinks that Sam Spade sent him an email, but it really came from another email address, where someone change the Mail From: line. If you saw that this email was actually generated from the inside of your network then you might have more of a legitimate concern that something anomalous was happening inside of your network.

    Microsoft Mail Internet Headers Version 2.0
    Received: from spamsucker.com ([1.2.3.4]) by spamsucker.com with Microsoft SMTPSVC(6.0.3790.1830);
    Thu, 9 Aug 2007 10:13:31 -0400
    Received: from spam-sbk.upstreamprovider.com ([4.5.6.7]) by spamsucker.com with Microsoft SMTPSVC(6.0.3790.1830);
    Thu, 9 Aug 2007 10:13:30 -0400
    Received: from mx1.upstreamprovider.com (unknown [4.5.6.7])
    by spam-sbk.upstreamprovider.com (Postfix) with ESMTP id 38F933C885
    for ; Thu, 9 Aug 2007 10:13:30 -0400 (EDT)
    Received: from econ.bg (bzq-88-155-208-114.red.bezeqint.net [88.155.208.114])
    by mx1.upstreamprovider.com (Spam Firewall) with SMTP id 3615325ED7
    for ; Thu, 9 Aug 2007 10:13:28 -0400 (EDT)
    Message-ID: <001001c7daa8$9a04b870$06cc8b7c@owner7z51bgb8s>
    From: "Sam Spade"
    To: "fred"
    X-ASG-Orig-Subj: boris cupid breeches
    Subject: [QUAR] boris cupid breeches
    Date: Thu, 9 Aug 2007 17:13:27 +0300

    Sometimes people get messages about a bounce from another email server that apparently came from them, but they didn't send it. Besides being yet another "Time Suck", the headers (if they are in the message can again help). In this case, the majority of the time a spammer is sending a message from someone to someone else. The addresses are those that have been harvested from the Internet, or in some cases someone who knows you has a virus and their contacts were propagated out to the wild wooly Internet.

    Forging email headers is not difficult and beside the script kiddie warez that is out there, just reading the RFC for SMTP can give you all the information for you to do it with a command line prompt and telnet to port 25. This is left for an exercise for the reader.

    The last question. Why do you get email about viagra, porn or getting money from someone in Africa? The answer is economics and the ease of trying to find one response out of the millions that they send to click on their links. Unfortunately, any time you publish to a public forum, send email to a public site, your email address runs the risk of being harvested by spammers. There is alot more to talk about in practical ways to keep spam down to a minimum, but that will have to be a completely new blog.