This is one of my favorite webcomics ever: http://www.irregularwebcomic.net/cgi-bin/comic.pl?comic=97
Kind of geeky, but fun. Poor Yoda…
Favorite webcomic
This is one of my favorite webcomics ever:
http://www.irregularwebcomic.net/cgi-bin/comic.pl?comic=97
Kind of geeky, but fun. Poor Yoda…
kinda geeky??
That is way geeky, but too funny, but true to form for what I would expect yoda to say
How does spam work?
Technical questions: How does spam work? And how can you protect yourself against spam?
I’m just wondering in general how the spam operators actually collect emails and make a living off sending out millions of emails. And how come ISPs can’t automatically detect the senders?
I realize that responding to the enlargement emails with “remove” only puts your name on the qualified email list and quarantees more spam.
Technical explanation of spam
OK, here’s my “technical explanation” of how spam is able to work, particularly the practice of forging senders.
The Simple Mail Transport Protocol, or SMTP for short, was modeled after the U.S. mail system:
So here’s a sample SMTP session. It’s actually a plain-text protocol, which means that if you were a fly in the wall reading the email message as it was transferred, this is what you’d see. The italicized entries are what the server sends you, while the bold entries are what you send the server.
220 barnson.org ESMTP Postfix (Debian/GNU)
HELO hotmail.com
250 barnson.org Hello, hotmail.com, pleased to meet you.
MAIL FROM: imaspammer@hotmail.com
250 Ok
RCPT TO: sammyg@barnson.org
250 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
From: Some-other-address@some-weird-domain.org
To: Undisclosed Recipients
Date: April 1, 2004
Subject: Your meeting on the 12th was cancelled.
HELLO MY FRIEND I GREET YOU IN THE NAME OF OUR LORD AND
HUMBLY BESSECH FOR ASSISTANCE. I AM THE SON OF THE LATE
KHUZMAD GORDITO, PRIME MINISTER OF NIGERIAN FINANCE
(blah blah blah blah, go on for a few pages about how legitimate this is…)
. (spammer SMTP session sends a carriage return)
250 Ok: queued as 2DA9654457
QUIT
221 Bye
There you have it: email demystified. Realize that the spammer can set whatever he wants (usually) as the HELO, and his return address. The only thing that usually needs to be legitimate is the RCPT TO address.
In the good old days, any SMTP server would accept mail for any other SMTP server, and forward it along to its correct destination. This was called “relaying”. These days, most ISP’s enable relaying only for people that are physically attached to their own network due to abuse, by spammers, of this resource.
Today, people are implementing things such as SPF (the Sender Policy Framework), which verifies that the IP address of a machine which is sending mail and claiming to be from some domain is actually a registered mail-sending address. That doesn’t do much to deter spammers, though. They just buy temporary accounts with some ISP and spam until their account gets shut down. Or else they register obscure domain names, publish their own SPF records, and go on their merry way.
It’s a war of escalation to try to deter spammers. One thing I do is “blacklist” all known “open relays” that have been abused by spammers, as well as prevent any mail server that’s known to have forwarded spam and not done anything about it recently. But they can always get around that, and my list is always growing.
As for how do you, personally, protect yourself against spam? The only relatively-successful method people have found is a thing called “Bayesian Filtering”. That is, you go ahead and download the mail, and flag a message as either spam or not-spam. Over time, your mail client (Mozilla Thunderbird and Mac’s Mail both do this by default) will build up a list of words you consider “spammish”, and words you consider “not-spammish”, and automatically rate your inbound mail, filing suspected spam in its own folder for you to review periodically.
Even long-time admins get sucked in, though. I’m an ebay member, and just the other day I was the recipient of a “phishing” scam, where I received an email that looked wholly legitimate, with a link to click to access my account information on Ebay.
If I hadn’t looked at the address field in my web browser, I might have been suckered in. When I pulled up this phisher’s page, it wasn’t an Ebay site, but some weird IP address. I went to arin.net, put the IP address in, and discovered it was a Russian IP address.
In other words, a scam.
Vigilance is called for. There are also some excellent anti-spam email hosting services available. Ultimately, though, you just have to try to restrict who knows your “real” email address.
The last thing I do is that I never give someone untrusted my real email address. I direct them to addresses that I create for their one-time use. I run my own mail server, so it’s not a big deal. That way, I can tell who sold my email address by the address I told them to use. For instance, there was a recent scam that suckered people into trying to win a free Ipod MINI. Well, the email address I gave them was “ipodmini@barnson.org”. Once the spam started pouring in, I set up a rule on my mail server which responds to all inbound mail on that address with “This email address was obtained via deceptive advertising. Please complain to the person who sold you the list.”
According to the CAN-SPAM act, the REMOVE link must actually remove you (or flag you as “do not mail”) or else it is illegal mail. With so many spammers offshore, though, it’s unenforceable.
As far as how they make money, well, when you can send out thirty million email messages with an effective cost of a few cents for the whole batch, even a .001% response rating ensures your success. It’s dirt-cheap marketing, and particularly the mortgage industry is willing to pay highly for referrals.
It’s cheap, easy, dirty money. And as a professional systems administrator, I’m bitterly opposed to it through being burned for the last ten years. It’s only getting worse today, with less than 20% of all email traffic being legitimate person-to-person mail.
—
Matthew P. Barnson
lovely spam, beautiful spam
–I’m just wondering in general how the spam operators actually collect emails–
My understanding about this is that they use websearch spiders – programs which search the internet for *@*.com, and then harvests those email addresses into a database, which becomes the mailing list of the spammer. So I realized that one of the reasons I got so much spam on my hotmail account was because on my professional resume, I listed my email address, which could be easily found on any websearch.
— Ben Schuman Mad, Mad Tenor
Stupid spiders
Actually, most of the spiders are dumb enough that they don’t even catch the “@”whatever. They specifically look for this snippet of code:
<a href=mailto:someone@somewhere.com>My Name</a>
Then they’ll use the name within the brackets as your name, and the mailto: address to send it to you. If you don’t do the “a href”, most spiders miss it.
Unfortunately, when dealing with a web-braindead population, you normally need to make sure your mailto: links work without hesitation. Such as on my resume page (available via the link at the top of this page)… if I were to make my email address require some munging, like changing it from “matthew.NOSPAM@barnson.org” or something, the technically-illiterate technical recruiters that frequently search for UNIX ADMIN on Google would not be able to get in touch with me.
So far, I’ve landed my current job and a contract job due to blind web-searches of that sort. Kind of funny, actually; my weblog has finally paid off!
—
Matthew P. Barnson