Sunday, December 28, 2008

Relaying to hide message origins

your email is valuable! .003$(hey tahts something) have an alternate set up to be the one you giveaway

old school spoofing has changed, you can no longer simply telnet to a mailserver and type in false informatino from the command line. though some old mail servers do allow this. what spammers do is they send a relay point false information, a relay is a server that serves as a middle man between the sender and sendee. this can be considered a form of a man in the middle attack. new servers do not send the mail unless the senders information matches the domain they are on. there are work arounds though because servers send mail for multiple domains. spammers have complicated software often written by the few used by the many, some of this spoofing software is even sponsered by top schools such as MIT.

Spammers don’t originate their messages on their own server. Even with fake
From: and Received: headers — which, like the breadcrumbs in the fairytale
Hansel and Gretel, are used to trace a message’s path back to its point of
origin — you’d still be able to trace those messages back to the spammer by
reading all the other Received: headers. And of course, spammers don’t
want you to do that.
To make it far more difficult for you to trace their messages, spammers relay
their messages through another system in a way that causes the message to
look like it originally came from the relaying system.
Older versions of sendmail supported a once-common method for reoriginating
mail — sending a message to a mail server that was not the
destination server, but an intermediate server. For example, you could initiate
an SMTP connection to and send it a message
that is being sent to The sendmail program
would happily accept and forward the message on to its final destination.
This is what is called relaying. With relaying, it is possible to re-originate a
message and completely hide the true origin of a message. (For some odd
reason, spammers don’t want people to be able to find them so easily.)
Today, most system admins will have upgraded their sendmail with a version
that no longer permits relaying: Newer versions of sendmail will only accept
messages intended for its own domain and no other by default.

You may be wondering how relaying differs from legitimate mail origination.
Well, when you or I send an e-mail message, we create it in an e-mail program
such as Outlook or Lotus Notes. In relaying, the program sending a mail
message to the SMTP server isn’t a program like Outlook, but a special program
used to originate spam. Basically, instead of actually typing e-mails,
this program connects to the relay server (a mail server with an older or
mis-configured version of sendmail that still permits relaying) and then
creates e-mails on that server. The program that spammers use need not
be complicated — it could be a simple script.
To illustrate how this works, Listing 3-2 shows an example I used in the 1990s
to demonstrate how easy it was to forge a completely genuine-looking mail
message. All it takes is telnet and a cursory understanding of the SMTP protocol.
In Listing 3-2, the commands that I typed to relay a message from the
Vatican to my friend John appear in bold.
Listing 3-2: Hiding a Message Origin with a Relay
% telnet 25
220 SMTP Sendmail 8.11.6/8.11.0 here
250 Hello wbar7.sea1-4-4-021-163.sea1.dslverizon.
net [], I’m listening
MAIL From:
250 sender ok
250 recipient ok
DATA Subject: I haven’t seen you in a while
354 Enter mail, end with “.” on a line by itself
You haven’t been to confession in a while. Please come
and see me soon. I don’t want you to end up in purgatory.
The Pope
250 HAA19816 Message

A few minutes after I created the relay message, a mail message would show
up for my friend John (and he always knew it was really from me). The message
appeared to have actually originated on the mail server —
because it did! I used to do this demonstration for people to show them that
you shouldn’t assume that a message is genuine despite outward appearances.
By the way, turned off mail relaying several years ago
(good for them — they probably discovered that their mail server was being
used to relay spam). Warning: Don’t try this at home — I’m quite sure that
this is illegal these days.

If spammers can’t find a mail relay, then they make one. That’s right: The
world is full of computers just waiting to be taken over, while their clueless
owners browse the Internet with a false sense of complacency.
Briefly, here’s how it works: Many viruses and worms actually plant an SMTP
relay on infected systems. Well, not a real SMTP relay in the truest sense of
the word, but something that functions as one. If you want to discover more wait for more...

first learn about the problem

Increasing e-mail volume
This is an understatement to be sure. Many studies conclude that the volume
of spam entering most businesses hovers in the 70 to 80 percent range. Your
e-mail servers are working hard to process inbound and outbound mail, and
the majority of that inbound mail is putrid filth. If you’re sufficiently privileged
to be able to walk up to your e-mail server, that giant sucking sound you hear
is the inbound spam choking the life out of your server.
Spam is consuming network resources, CPU resources, disk and network
buffers, disk space — everything. If your e-mail server is sluggish, imagine
how much faster it would run if you could eliminate 70 percent of the incoming
traffic. On the other hand, if your e-mail server is able to keep up with
the torrent of filth, it’s because you bought a system far larger than should
have been necessary, in order to manage the relevant business e-mail and
the spam.
Everybody is in the same situation: Either they’ve had to invest more capital
dollars in e-mail servers to keep up with the growing tide of spam, or else their
mail servers are suffering under the workload.
If you are so well organized that you have statistics on inbound e-mail volume
over a period of years, I’m willing to bet that you can see that the volume is
increasing at a rate that significantly outpaces any increase in the number of
employees in your organization.
Draining productivity
Almost all organizations have their share of employees who are drowning in
spam. Three to five hundred spam messages per day for some employees is
not uncommon these days. Those employees come from every level in the
organization, from executives to call center employees, and everybody in
between. So what is it like for these employees? I have spoken to more than
just a few; here is what some of them have to say:
“It takes me longer to get through my e-mail because I have to weed out
all the spam first.”
“I can’t stand the porn — even the subject lines are lewd and offensive!”
“My spam filter at home frequently throws away messages from friends. I
can’t afford to have a spam program at work toss out important messages
from customers or suppliers.”
These comments point to some of the key problems that result from employees
dealing with spam, which include the following:
 Extra time spent sifting through all e-mail in order to identify and delete
spam messages. This becomes increasingly difficult as spam messages
look more and more like ordinary messages.
 E-mail quota problems due to spam filling up users’ mailboxes. This is
especially troublesome for those who travel, unless they are able to log
in almost every day and delete all the spam from their inboxes.
 Loss of important business e-mail messages that were accidentally
overlooked and deleted. Legitimate messages often get caught in the
crossfire whether or not a spam-blocking solution is in place.
 Phishing scam messages that look like they originated within the company
or from a legitimate outside source. Sometimes, these scams result
in virus infections, security breaches, fraud, and other issues.
 Employees who are enticed to visit Web sites waste more time and
increase the risk of security issues caused by the hostile code on Web
 Increased computer support costs. Employees who are plagued by spam
and related maladies are certain to be calling the IT helpdesk more frequently
than employees who receive little or no spam. You are fortunate if
your helpdesk tracking data is granular enough to capture this information.
Unless you are in the upper echelon of IT organizations that measure and categorize
every electron, the spam problem is more likely one that you feel in
your gut. You know it’s a problem, perhaps a big problem.
How spam got its name
Funny names are ascribed to otherwise-mundane
components in the technology world. An e-mail
popup in X-Windows (a windowing system like
Microsoft Windows that was invented ten years
earlier) was called “biff,” which was the name of
the programmer’s dog. Those little session- or
person-identifiers that your browser stores on
your computer are called “cookies.”
And, of course, junk e-mail is called spam. But
why “spam”?
The term “spam” was first coined in the 1980s to
refer to various means of sending lots of useless
information to a computer in order to overload it
or be annoying to its users (or both). The Monty
Python “Spam” skit was new and popular among
computer science students and early (now aging)
computer professionals. Reportedly, those in the
Multi-User Dungeon (MUD) community originally
coined the term and brought it to USENET and
eventually e-mail. Legend has it that someone
programmed a macro to simply post the word
“spam” every few seconds (like part of the lyrics
from that Monty Python skit where they simply
repeat the word “spam”) . . .
. . . until someone finally kicked him off.
Exposing the business to malicious code
Through the year 2003, almost no spam carried malicious payloads such as
viruses, worms, and Trojan horses. Spam was just spam. This changed in
2004 (how could you not have noticed?) with the apparent — uh, obvious —
growing alliance between virus writers and spammers. Theirs is a symbiotic
relationship: Spammers give virus writers the means to distribute their wares,
and now spammers can do more than just send junk mail — they can control
their victims’ computers.
Organizations with a sound antivirus infrastructure can take some consolation
in the fact that their antivirus software will strip the malicious code
from most inbound spam messages. Mail servers that are configured to strip
executable attachments from incoming e-mail messages are contributing to
the defense.
Worse yet, antivirus programs have been “looking the other way” when it
comes to spyware. Spyware isn’t stopped by most firewalls, mail servers, or
antivirus programs, and often the flaws (in configuration, as well as vulnerabilities
in design) let the spyware just waltz right in to end-user workstations
to listen, snoop, and sometimes send data back to the hacker’s home base.
Spyware also raises support cost because much of it makes browsers unstable,
and some spyware makes changes to Web browser configurations that
users notice — like changing the default home and search pages.
But is it safe to assume that 100 percent of end-user workstations are adequately
protected? You can fool yourself, but you can’t fool me. Sobering
lessons from the past should certainly convince IT professionals that a few
viruses — and a lot of spyware — are getting through the defenses.
Face it: Spam is clogging the pipes and it has attitude, and spyware is just a
little too nosey for most people to tolerate. An antivirus solution only handles
one small aspect of the spam and spyware plague: It strips malicious code
(most of the time), but does nothing about the growing volume of inbound
e-mail, and it often lets spyware right through.
Creating legal liabilities
Aside from being among the unfortunate ones whose inboxes are hammered by
spam every day, most legal departments have not yet addressed issues of corporate
liability in connection with spam or spyware. That, however, is changing.
Subjecting employees to offensive language and images
An appreciable amount of spam is pornographic in nature, and this naturally
means that employees who receive spam are going to get messages that contain
content that is offensive to many people. And this is not just in the content of
messages: Spammers are becoming more brazen and are including suggestive
and offensive messages right in the subject lines. This is an irritant to many,
but it’s insulting and distressing to others.
Some spammers have been sending messages containing only graphic images
as one method to dodge spam filters. For spammers in the business of distributing
promotional messages for porn sites, this usually means that these
images contain pornographic pictures. Depending upon how an organization’s
choice of e-mail clients, their default configuration, as well as how employees
use them, this can mean that employees who get flooded with spam will be
subjected to pornography and other offensive images.
In many instances, porn spam is sending some employees “over the top,”
resulting in grievances and even threats of lawsuits. Organizations that are
doing little or nothing to stop spam probably do not have much of a defense,
I am sorry to say. Employees who are distraught because of the offensive
nature of spam have a strong case for relief. They also have my sympathy —
I don’t like the stuff either.
Leaking corporate information via spyware
Spyware collects information as relatively harmless as a user’s surfing habits,
and as harmful as key logging (spyware that records your keystrokes and
sends the record to someone else). A corporate user’s workstation with a
working key logger can create liability if it captures a user accessing sensitive
information, and the key logger’s owner subsequently compromises
that data.
Downstream liability if spam originates from company computers
Figuratively and literally speaking, spam messages have no return address, so
it is difficult to pin the blame on those who originate the messages. However,
if a company’s own e-mail server or one of its end-user workstations was being
used as an e-mail relay (a system that spammers use to “originate” their hordes
of messages), other individuals or companies being subjected to this spam
could build a legitimate grievance against the company whose computer is
being used to relay spam.
A spammer can use a company’s e-mail server as a relay if the e-mail server is
still using old e-mail server software. In the old days, relaying e-mail through
an e-mail server was a common practice for moving legitimate mail, but now
only spammers utilize this now-antiquated function in order to cover their
An organization ought to know how to prevent its computers from becoming
spam relays. Any organization that fails to fulfill its due diligence in this
regard can be found negligent and be subject to civil lawsuits. Organizations
that forward spam (or propagate other security threats) cannot completely
escape culpability.

Spam and Spyware: The Rampant Menace 15
No Silver Bullets: Looking
for Ways to Fight Back
Malware (which includes spam and spyware, but also viruses, Trojan horses,
and really anything that you don’t want running on your computer and would
prevent if you could) is a complex problem that comprises threats and issues
on many levels, and no single remedy can eliminate it. Your best defense against
spam and spyware is defense in depth, which is much like the multiple layers
of defense of a medieval castle.
A castle may have a moat (a body of water surrounding the castle), with a
hungry moat monster swimming around. The castle also has a drawbridge,
heavy gates, high walls, and places where archers can shoot arrows at attackers
and others can pour boiling liquids on would-be attackers who make it
across the moat. This castle has many layers of defense. Should any one or
more of these layers fail, other layers continue to provide protection.
Similarly, you can best stop (it would be more accurate to say “slow down”)
the harmful and annoying effects of spam by using a variety of remedies,
which I introduce in the following sections.
By themselves, some of the remedies I discuss will, to some degree, hinder
the effectiveness or penetration rate of malware. Together, they represent a
multilayered defense that provides a good level of resistance against spam
and spyware.
Adding a spam blocker
A key component of your defense is a spam blocker, more often called a spam
filter, which you purchase from an outside vendor. These solutions all use the
same basic features to identify and weed out spam:
 Vendor-supplied filtering rules and signatures: Computer code and a
list of known spam patterns (like fingerprints) that the spam-filtering
software uses to identify messages as spam.
 Enterprise filtering policies: Centrally managed configurations that
reflect the company’s needs.
 User preferences: User-definable settings that tell the spam filters about
spam that individuals find especially irritating, as well as options on how
the product behaves on users’ workstations.
16 Part I: Understanding the Problem
 User blacklists and whitelists: Lists of known bad addresses (that go in
the blacklist), and addresses from outsiders whose incoming messages
should never be tagged as spam (whitelists).
 Quarantines: The holding places where spam messages are stored until
individual users can look to see if any good messages were accidentally
blocked by the spam filter.
Figure 1-1 shows how a typical anti-spam application works. Exactly how each
application performs these functions varies considerably from vendor to
vendor. The following steps explain what’s going on in Figure 1-1 in more detail:
1. Inbound e-mail arrives at the anti-spam application.
2. The anti-spam application examines the message and compares its
contents with enterprise filtering policies, vendor-supplied filtering
rules, end-user preferences, blacklists, and whitelists.
3. The application uses the comparison to decide what to do with the
• If the message is permitted to pass, the application forwards the
message to the enterprise mail server, which will in turn route it to
the recipient’s mailbox.
• If the message is not permitted to pass, the anti-spam application
will check to see if the recipient has a quarantine. If the recipient
does have a quarantine, the anti-spam application will put the message
there. If the recipient does not have a quarantine, the anti-spam
application will delete the message.
4. When the end-user logs in and runs her e-mail program, she will look
at messages in her inbox.
If there are any messages there that should be classified as spam, the
spam application usually provides a way for the user to specify that fact
so that similar messages will be rejected in the future.
5. If the end-user has a quarantine, she will also have to examine it from
time to time to make sure that there are not any messages there that
should not have been blocked.
If there are any desired messages (false positives) in the quarantine, the
user tells the anti-spam application that any messages from the sender
should be accepted; that e-mail address will be placed in the user’s whitelist.
Usually the anti-spam application will also forward the message to
the user’s normal mailbox so that she may open, read, reply, and store it
using her e-mail program.