[Dshield] Spam Problem

Jon R. Kibler Jon.Kibler at aset.com
Mon Jan 12 16:59:57 GMT 2004

Brad Spencer wrote:
> The earlier tests for mets17 at erols.com were form the Washington, DC
> area.  Later ones were from the Los Angeles, California area.  Either he
> moved or he moved the source of his tests.

Regarding "Either he moved or he moved the source of his tests."

Actually, the real answer "None of the above." Well, maybe, kind-of, the latter.

Most criminal spammers (and the one to whom you refer falls into that category) go to extremes to hide their identity. This usually means routing their spam through multiple layers of hijacked computers, and usually using at least one that is in a foreign locale that does not have laws against hijacking computers. Spammers are continually changing the routing of their email. (And, thanks to our really brilliant Congress' anti-spam laws, the criminal spammers are moving their operations offshore -- just like Internet gambling -- making it even harder to trace their identities.)

We have hundreds of examples where one of our spam-bait email addresses is sent spam simultaneously from multiple hijacked systems -- often all from the same forged sender email address. Spammers are not only continually changing the routing of their spam, they use multiple systems to simultaneously send spam in hopes that at least one system will be able to get past any spam filtering in place. This is why you sometimes receive multiple copies of the same spam, seeming from the same person, sent at the same time. If you examine the Received: headers in detail, you will see that the spam was actually sent from different hijacked systems. And it goes without saying that these multiple hijacked systems are clearly under the central control of a single spammer.

When you find that your computer has been hijacked by a spammer, and you back trace the source of the emails, you are only going to find the last computer in the relay chain. (Actually, if you find that your computer has been hijacked by anyone, for any reason, your first step -- after documenting and breaking the network connection -- should be to file a report with your local law enforcement agency and INSIST they investigate. The squeaky wheel gets the grease...)

To go further back, you would need the cooperation of the ISP of the computer that is sending your hijacked computer spam (and lots of luck getting that cooperation). The ISP would then have to determine who is sending the spamware on that computer the junk to be relayed. You would then have to get the cooperation of that other computer's ISP... etc.

Also, you have to be very careful when examining email headers. Most spamware is going to strip off any Received: headers it finds before relaying a message to either the next hop or the final destination. Spammers also add forged Received: headers to make it harder to track the real source. Never trust any Received: header that goes back any further than a mail server that you trust. This usually means that you can only trust the Received: headers added by your or your ISP's mail server, or the mail server of any spam filtering service used upstream of the local mail server.

Finally, NEVER trust the sender email address. It is always forged. Some of the more nasty criminal spammers will even forge the email address of one of the competitors to send you down the wrong trail -- should you pay any attention to sender email addresses. (One of the latest spammer forgery tricks is to use an email address with the sender's hostname the same as the relay name. Thus, if the connection was from the host "10-5-3-2.my.hijacked.computer.com", the sender's email address would be something like "a.bogus.user at 10-5-3-2.my.hijacked.computer.com". How lame can you get?)

Hope this helps clarify what spammers are up to...

Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214

Filtered by: TRUSTEM.COM's Email Filtering Service
No Spam. No Viruses. Just Good Clean Email.

More information about the list mailing list