The "No Network is 100% Secure" series
- Electronic Mail SPAM -
A White Paper
All rights reserved - may not be copied without permission
Easyrider LAN Pro, NOC Design Consultants
What is SPAM?:
It is widely believed the term spam is derived from the 1970 SPAM sketch of the BBC
television comedy series "Monty Python's Flying Circus".
The sketch is set in a cafe where nearly every item on the menu includes SPAM
luncheon meat. As the waiter recites the SPAM-filled menu, a chorus of Viking
patrons drowns out all conversations with a song repeating "SPAM, SPAM, SPAM,
SPAM... lovely SPAM, wonderful SPAM", hence "SPAMming" the dialog. The excessive
amount of SPAM mentioned in the sketch is a reference to British rationing during
World War II. SPAM was one of the few meat products that was excluded from
rationing, and hence was widely available.
In it's purest form, SPAM is any unwanted message, typically sent via electronic e-mail. Multiple postings (e.g. on usenet newsgroups or forums) can also be referred to as SPAM. For the purpose of this white paper, SPAM will mean unwanted bulk e-mail sent for devious and often for criminal purposes. Some forms of SPAMMING are more accurately defined as phishing or hacking. The intent of SPAM is to get someone to buy something or to trick the reader into allowing their computer to be compromised. SPAM is also used to manipulate stock (shares) prices... typically for so-called pink slip "penny stocks".
It is estimated that 120 billion SPAM messages a day are transmitted over the Internet.
Why is there so much SPAMMING going on?: Spamming remains economically viable because advertisers have few operating costs beyond the management of their botnets and mailing lists. Additionally, it is difficult to hold senders accountable for their mass mailings. Because the barrier to entry is so low, spammers are numerous, and the volume of unsolicited mail has become very high. The costs, such as lost productivity and fraud, are borne by the public and by Internet service providers, which have been forced to add extra capacity to cope with the deluge. Spamming is widely reviled, and has been the subject of legislation in many jurisdictions.
Ducks lists: In many SPAM e-mails, there is a confirmation link and/or an opt-out link within the email body. The spammer's purpose is to collect active email addresses. The gathered records are organized into a "ducks list" for future spam/fraud uses. Spammers or fraudsters keep a record of previously baited victims who pay requested fees, provide personal information about themselves or click on SPAM links as directed. This list of records is then sold amongst spammers and other criminal groups.
Directory harvest attack spam: These are typically "blank body" spam messages. Such spam campaigns are run by spammers in an attempt to find valid/existing email addresses at a certain domain. This particular spam sample has a blank message body with a blank subject line, and no URLs or attachments. The "From" header is spoofed.
DHA is more than just an annoyance for email recipients. Every successful DHA attack equals one or more email address being subjected to future spam/malware attacks. Furthermore, these attacks also generate a large volume of unnecessary workload and consume significant amounts of system resources on the recipient's email server.
SPAM from "friends", aka FRAM: Everyone has friends and acquaintances who at one time or another find it necessary to forward unwanted SPAM to them. SPAM such as chain letters, jokes, touching anecdotes or urban myths. With all respect, most of these people are clueless morons. Not only do they send "greeting cards" from scam and hacker sites and "newsy" or "funny" e-mails that they think "you will find interesting"... They typically e-mail this stuff to their entire address book using the "To" or "CC" fields so that every spammer on the Planet can harvest hundreds of new, fresh, active e-mail addresses. Sorry, but I suffer fools badly. If you are one of these idiots that do this, please remove my e-mail address from your address book!
This type of FRAM is not only annoying, it's dangerous and hazardous to the health and well being of your computer.
Most of the people who FRAM are stupid beyond redemption and will actually get upset with YOU when you ask to be taken off their SPAM mailing lists! The safest way to avoid these dodo activities is to have lots of throwaway e-mail addresses. Only give out your real, sacred e-mail address to a small (tiny) handful of people that you completely trust to not do stupid things with it. And never give out your work e-mail address to anyone except for authorized business purposes. The job you save may be your own! The bottom line here is that friends don't SPAM friends. If you're being SPAMMED by someone, they are not your friend. Ask them to stop and if they keep doing it, block them and complain to their ISP.
When you ask a FRAMMER to stop, just include this URL http://home.mcafee.com/AdviceCenter/Default.aspx?id=ad_fr_fdsf or direct them to this web page. No further discussion is necessary. If they don't get it after reading these paragraphs, they will never get it.
Is SPAM a security concern?: The short answer is no, but with caveats. Very few people these days are dumb enough to actually buy Viagra over the Internet or fall for erectile disfunction scams by responding to a piece of SPAM. However, SPAM is the delivery method for many viruses and other malware. As SPAMMERS become more sophisticated, SPAM with forged headers has been responsible for many "phishing" campaigns that cyber-criminals use to gain access to user accounts and computer services. The end goal for phishing is usually to gain access to credit card numbers, bank accounts, social security numbers and so forth. Phishing scams seek to trick users into going to a bogus but legitimate looking web site to enter their user names, passwords, SSNs and so forth. While Employee identity theft and these types of crimes may not be the direct concern of IT Managers, there are many reasons why you would want to do everything possible to keep SPAM out of your enterprise.
SPAM is also used as a method to harvest e-mail addresses, infect computers with bots and trojans and many other bad things that you do not want to happen to computers that are in your charge.
How do I stop SPAM from getting into my enterprise?: Volumes have been written on this subject so this white paper will just hit the high points. The short answer is that completely eliminating SPAM is impossible under today's technology. Additionally, legislation and enforcement has so far been totally ineffective in abating these types of criminal activities. The reasons for this are beyond the scope of this paper.
However, there are a few relatively simply and often common sense things you can do to at least reduce your vulnerability to SPAM. It is an assumption that the IT Manager has already implemented anti-virus software on every computer in the network. This is an absolute minimum precaution. It is also assumed that virus definitions are kept up to date.
Important best practices: You can remind users to never open attachments unless they are sure of the sender until you are blue in the face. But the fact is that many of your users are just not very technically savvy. So while training and education is important, the best strategy is to prevent SPAM from ever reaching their mailbox in the first place. If you don't do this, you WILL spend a lot of time and energy dealing with viruses, bots, trojans, hack attemps as so on. SPAM is definitely a situation where you can either invest your time being proactive about it or you can deal with fire after fire, reacting every time some user opens up an e-mail attachment or goes to a URL that they "thought" was okay. You only have to pick up the newspaper or turn on the news to learn about the lastest company to be "knocked off the air" by cyber-criminals. I'm sure the IT guys at these companies have some 'splaining to do....
First steps: For SPAM to be delivered, there has to be a legitimate e-mail address to send SPAM to. Therefore, in my opinion, task number one is to not provide SPAMMERS with e-mail addresses to send to. Duh.... So how do we accomplish this? There are many things that can be done to thwart e-mail address harvesters. Implementing policies and procedures that prohibit personal use of company equipment, including company e-mail addresses, for example. Changes to the way e-mail addresses are displayed on web sites (including Internet forums and e-commerce sites that are accessed by employees), for another. Requiring "hardened" usernames so that SPAMMERS can't guess e-mail addresses. That is, Joseph.Jones@your_company.com versus joe or jones @your_company.com. As you can see, there's lots that can be done that's easy and inexpensive to implement but will make a BIG difference in SPAM reduction. Easyrider LAN Pro consulting services can be a huge help in identifying lots of things that data centers are doing that inadvertently promote incoming SPAM. We are always happy to talk to IT Managers about this.
What else?: So the barn door is already open and SPAMMERS have lots of addresses in your domain to SPAM already. What else can be done? Software tools can be a big help too. A great deal of SPAM these days is sent from computers that are infected with bots and in some cases are running as open relays. That is to say that the SPAM is coming from computers that aren't legitimate MX mail servers at all. There are several methods to check incoming mail to see if it came from an open relay, a legitimate MX server or from an IP that is blacklisted.
There are also ways to look at the content of incoming e-mail to see if if has SPAM "signatures". Spamassassin is very popular for doing this and it's free! Servers can also be set up to challange incoming mail by replying with a verification e-mail that the sender must acknowledge before their address is "whitelisted". There is some debate on how effective this approach is but it's still an available option that you may want to take advantage of.
If you are a company, you may want to block ALL e-mail from Google (gmail), Hotmail, Yahoo and so forth since these are clearly not business e-mail addresses. Google and others have done very little to prevent SPAMMERS from using their services to SPAM the Planet. Personally, I block everything from Google, Theplanet and RIPE IP addresses. In your business environment, you may not be able to be quite that aggressive. But personally, I would not hesitate to blacklist scumbag ISPs who host SPAMMERS and Hackers, from my entire network, at the border router. If one of their customers doesn't like having their e-mail blocked, they can vote with their dollars and move to a more responsible ISP. I also block everything from Russian and Nigerian IP address blocks.
As stated earlier, SPAM is a serious, complex and detailed problem. This white paper barely scratches the surface on this issue but we hope you find the information here to be helpful and informative. Easyrider LAN Pro is happy to do consulting work for IT Managers and companies that would like to tighten up their computing environment and who would like to see a lot less SPAM coming into their environment. We often receive consulting inquiries right AFTER a high visibility, expensive, painful intrusion event takes place. But you don't have to wait until your local TV station is interviewing the company president to find out the details about how your data center was attacked before you call us. Level zero in the Information Technology Service Management (ITSM) is chaos mode. You'd like to be way more proactive than that, right?
About the Author
Frank Saxton is a computer network security engineer and Easyrider LAN Pro principle.
Home-based in Portland, Oregon, Frank has been designing remote diagnostic and
network enterprise monitoring centers since the late 1970s. Prior to becoming a
professional systems engineering consultant in 1990, Frank had a 20 year career
in computer systems field engineering and field engineering management. Frank
has a BSEE from Northeastern University and holds several certifications including
Network General's Certified Network Expert (CNX). As a NOC design engineer and
architect, Frank works regularly with enterprise-class monitoring tools such as
HP Openview Operations, BMC Patrol and others. In his enterprise security
audit work, Frank uses sniffers and other professional grade monitoring tools on a
Next in the security white paper series:
How Cyber Criminals will mature over the next ten years
Are you vulnerable to drive-by exploits?
High value sites recent hacks
IT employment challenges of the 21st century
Employment reference checking white paper
Competency Certifications White Paper
Virus White Paper
GhostNet White Paper
Password White Paper
Digital Identification Certificates White Paper
Cryptography White Paper
OpenID White Paper
Intrusion Detection Systems IDS White Paper
Rootkit White Paper
Unnecessary Windows XP Services White Paper
Scareware White Paper
Exaflood Internet Brownout White Paper
Cloud Computing White Paper
Proxy Server White Paper
Personal Computer PC Security White Paper
Conficker White Paper
Phishing White Paper
DNS Poisoning White Paper
SPAM White Paper
Best Practices White Paper
Denial of Service DoS White Paper
Trojan Virus Attacks White Paper
Port Scanning White Paper
Monitoring Basics 101 White Paper
Monitoring Basics 102 White Paper
Monitoring Basics 103 White Paper
Virtual Machine Security White Paper
Aurora vulnerability White Paper
Shelfware White Paper
Outsourced IT White Paper
Easyrider LAN Pro Consulting services:
Network Security Audit and PC Tune-up service
- Proxy server installation and configuration
- Enterprise security consultations
- Disaster recovery planning
- Disaster recovery services
- Capacity, migration and upgrade planning
- Build and deploy central syslog server
- Build trouble ticket systems
- Design and build monitoring environments
- Design and build Network Operations Centers (NOC)
- HP Openview, BMC Patrol consulting
For SPAM harvesters only:
Last modified March 25, 2009
Copyright 1990-2009 Easyrider LAN Pro