A Spam Primer

Spam, or Unsolicited Commercial Email (UCE), is a growing problem. It corresponds exactly to the junk mail that everyone receives on a daily basis via the postal system. However, while it costs a stamp to deliver surface mail there's little cost to deliver UCE via the Internet. The bulk of UCE being spread now comes from "one time sources", where some clueless user has fallen for one of the "make money with your computer at home" scams. They get a CD with bulk mailing software and huge address lists and are paid some amount for each UCE that they send. At reputable ISP's such activity doesn't go unnoticed for long and the account is suspended or canceled, causing that particular source to disappear. So blocking the IP or site is of little or no use. Unfortunately there are a lot of service providers that are more than a bit tolerant of spamming activities by their customers or at least aren't very diligent in monitoring and acting on spammers. Other sources of UCE are caused by poorly configured mail servers that will relay mail for any user. Professional spammers search for mail servers like this and use those to disseminate UCE. In cases like that the mail may appear to originate from a reputable source.

Spammers also take pains to hide their real identity, see the section on Email Basics below for an example. And since the headers in most spam are forged it serves no purpose to reply to a message to complain. If there is a real address associated with the message that you can reply to it is probably directed to a program that marks your address as being valid in the UCE address list. In a like manner, the "Click here to be removed from this list" is probably a scam. taking that action doesn't get you removed from the list, it merely confirms that your address works. The only sane thing to do with a piece of UCE is exactly the same thing that you do at home with postal junk mail, just delete it.

So how did your email address get onto one of these UCE mailing lists? Unfortunately there are a lot of ways for that to happen. Email addresses have become a commercial item, with organizations that support UCE activity actively pursuing email lists and paying Internet sites for collected addresses. Those sites that are above board about the use of email addresses will give you the option of restricting the use of your address and will use a closed loop verification, meaning that you'll receive an email requiring you to go back to their site via a special link to confirm your choice. If you don't verify the selection they discard the address. These are commonly referred to as "opt-in" sites. Since an email address has commercial value, not all sites operate this way. Some consider any addresses submitted as being implicitly available for their use, others operate on an "opt-out" policy where you have to explicitly request that your email address not be disseminated. And a lot of sites don't confirm email addresses that a site visitor supplies. Even when the site doesn't have a policy of selling or otherwise distributing email addresses that they have gathered if they don't properly protect that data it might be stolen and sold by anyone that gains access to the data.

While not as many people are exposed this way, as compared to several years ago, participation in any of the Usenet news groups can result in your email address being exposed to harvesters. Another common means of exposure is subscription to mailing lists, chat groups, and signing of web site guest books. There are harvesters that subscribe to mailing lists just to collect email addresses, others that search chat groups and others that scan the Internet looking for web site guest books. Some viruses and malicious web sites also gather email addresses. Obviously good anti-virus protection on your mail client machine is important, but what's not so obvious is that there are ways to trick Outlook and Internet Explorer into divulging an email address. For the most part that does require that you be running a susceptible version of those tools and/or that you haven't configured the security settings high enough. And then there are the applications that ask you to "register with them". Before doing so you really need to determine from their site what their policies are with regard to collected email addresses.

Email Basics

Every email message consists of two parts. The part that you see in your email client is normally referred to as the body and contains the From:, To:, Subject:, etc.,headers, the actual message and any attachments. Note that nothing in the body ofa message is actually used by a Mail Transport Agent (MTA) to effect delivery of a message. The headers that you can normally see are informational in nature and can contain anything that the sending Mail User Agent (MUA) wants to place there. In fact, those headers can be completely missing and the email will still be delivered. There's another set of headers, normally referred to as the envelope, that actually govern email delivery. The body and envelope of a message correspond exactly to a letter content and envelope of surface mail. The Post Office uses what's on an envelope to deliver mail and has no knowledge of what's inside the envelope. Spammers frequently forge the From: and/or To: contents to hide their identity, which is how you can get an email that appears, from the headers you normally see, to be from a legitimate source or to have been sent to an address that isn't yours. To determine the actual source of a message you have to examine the envelope headers. With a Netscape email client this is easily done by selecting
View->Headers->All and you'd see something like:

Return-Path:<angelqq94264e34@aol.com>
X-Sieve: cmu-sieve 2.0
Received: from relay.dom.tld (relay.dom.tld [1.2.3.4])
  by mail.dom.tld (8.12.3/8.12.3) with SMTP id g7SJJvju027274
  for <Jim.Levie@mail.dom.tld>; Wed, 25 Sep 2002 06:16:33 -0500
Received: from aol.com (200-207-126-141.dsl.telesp.net.br [200.207.126.141]))
  by relay.dom.tld (8.12.2/8.12.2) with ESMTP id g8PBGLSu016440
  for <jim.levie@dom.tld>; Wed, 25 Sep 2002 06:16:28 -0500
Reply-To: <angelqq94264e34@aol.com>
Message-ID: <004c41d82d1e$1548a3b3$8cb02bd4@ynjpcq>
From: <juan63201h06@hotmail.com>
To: angelqq9@aol.com
Subject: Hows it going 5200dujH-8
Date: Wed, 26 Sep 2002 03:05:41 +0800
MiME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
Importance: Normal
X-Scanned: Found to be clean, Found to be clean
X-MailScanner: Found to be clean
X-MailScanner-SpamCheck: (score=13.1, required 3 DATE_IN_PAST_12_24,
  FROM_ENDS_IN_NUMS, FROM_HAS_MIXED_NUMS, FROM_HAS_MIXED_NUMS2,
  INVALID_MSGID, MIME_ODD_CASE, NO_REAL_NAME, SPAM_PHRASE_02_03,
  SUPERLONG_LINE, USER_AGENT_OUTLOOK)
X-MailScanner-SpamScore: sssssssssssss

Examining the first Received: line from the bottom we can tell that the message originated from 200-207-126-141.dsl.telesp.net.br and that system was claiming to be aol.com neither of which have anything to do with what we see in the From: header (juan63201h06@hotmail.com). Also note that the To: header says that the message is for angelqq9@aol.com but that the envelope recipient (from the topmost Received: line is Jim.Levie@dom.tld.

Our email scanning system added two headers to the message. One (X-MailScanner: Found to be clean) indicates that the message has been scanned and was not carrying a virus. The other (X-MailScanner-SpamCheck: (score=13.1..) is more interesting. It says that the scanning system ran the message through SpamAssassin which classified it as possible spam. The X-MailScanner-SpamScore: sss... header line is a simple representation of the rounded SpamAssassin score of one "s" for each integer of the score (up to a max of 20). The SpamAssassin tests that matched on this message are:

DATE_IN_PAST_12_24	Date: is 12 to 24 hours after Received: date (score=3.169)
FROM_ENDS_IN_NUMS	From: ends in numbers (score=1.614)
FROM_HAS_MIXED_NUMS	From: contains numbers mixed in with letters (score=-0.891)
FROM_HAS_MIXED_NUMS2	From address matches known spammer format (score=1.862)
INVALID_MSGID	Message-Id is not valid, according to RFC 2822 (score=1.226)
MIME_ODD_CASE	MiME-Version header (oddly capitalized) (score=3.478)
NO_REAL_NAME	From: does not include a real name (score=-0.331)
SPAM_PHRASE_02_03	Spam phrases score is 02 to 03 (medium) (score=-0.713)
SUPERLONG_LINE	Contains a line >=199 characters long (score=-2.197)
USER_AGENT_OUTLOOK	X-Mailer header indicates a spam MUA (Outlook) (score=3.151)

While some of the things that SpamAssassin matched might have been associated with a legitimate message, the combination of those makes it likely that this message was from a spammer.