Since then, and with the explosion in the use of e-mail, spam has become a major problem for anybody whose time and/or sensibilities are precious – so much so that legislators have turned their attention to the issue and introduced regulations for proper e-mail use.
In the constant battle of wits between those who would hog the world’s bandwidth for their own selfish ends and those who would seek to limit them, many bulk e-mailers are adopting techniques long used by hackers.
Early spam techniques
In the early days spammers would simply send vast numbers of e-mails from their Internet Service Providers (ISP) accounts. Internet users’ and system administrators were quick to perceive this as an intrusive nuisance and started to complain to the spammers’ ISPs resulting in the spammers losing their Internet accounts.
The next evolution of spam was the disposable dialup account. A spammer would sign up for a dialup account on a Friday, unleash a torrent of e-mail over the weekend and by Monday have moved on. This technique didn’t last too long either – a credit card and other details were required to sign up for the account and soon the spammers found that ISPs would not accept their credit cards.
Open mail relays
In the early days of the Internet, when there was little focus on security, people set up their SMTP (e-mail) servers to relay any mail regardless of the source or destination. Spammers quickly realised this allowed them to use someone else’s bandwidth. Instead of sending each e-mail out individually over a slow dialup line, they could send the mail once to a mail server with a long list of recipients and the mail server would send one copy to every recipient. This method is a huge boon to the spammers – they are able to use someone else’s bandwidth at virtually no cost to themselves and by forging e-mail headers they could hide where the mail came from. Of course the legitimate users of these systems suffer. The mail servers get clogged up sending huge volumes of spam, delaying the sending of legitimate e-mail.
Over time the Internet has adapted to this technique. Antispam activists maintain lists of open SMTP relay servers and e-mail addresses that have been used by spammers and make these lists available to ISPs and the public so that they can filter out e-mail from these sources. A further problem for the spammers is that their source IP address will get logged on the abused systems. This makes it possible for the system administrators to trace them back to their ISP and again have their account revoked.
Broadband
With the advent of fast, cheap, always-on connections for home users and small business, the spammers were handed a new vector for spreading spam. The reliance on open relays diminished as the spammers could now rely on high speed access for their own connections and send vast volumes of mail from their home systems just as quickly as they could through an open relay. Unsophisticated spammers started to deluge the Internet from their own connections. This behaviour didn’t last long as spammers got kicked off by their ISPs and then realised that there was only one or two service providers in their area for broadband connections.
To make effective use of their new fast connections the spammers needed a way to hide their IP addresses. They did this by adopting a tried and trusted hacker technique – they started using open proxy servers. A secure proxy server would normally only let authorised users to access it, however many proxy servers are ‘open’, that is they let anyone on the Internet relay their requests through the proxy servers. By stringing many proxy servers together the spammers could hide their real IP addresses behind multiple proxy servers, making the task of tracking down their real IP address extremely difficult. There are lists of open proxy servers on many sites on the Internet and so, for a time, this proved a very fruitful avenue for the spammers.
There are other benefits for the spammers. By using proxy servers to make direct connections to the mail servers of victims, spammers could maintain cleaner mailing lists and customise their spam with victims names or web bugs that would enable them to track who had read the spam and when.
The antispam activists were only a short step behind in this ever escalating war. They simply compiled a list of the offending proxies and made them available to ISPs and users. As a further layer of protection, some mail systems were configured to test the systems sending them mails to see if they were open proxy servers.
Spammers and hackers team up
In January of this year the first of the Sobig viruses, Sobig.A, appeared. Sobig.A marked a new divergence in the evolution of viruses. It wasn’t a single self-contained payload like previous viruses, but instead connected to the Internet and downloaded a second payload. The second payload installs a hidden open SMTP relay and cleans up the original virus infection.
By removing the original virus the second payload effectively hides the fact that the computer system was ever infected by a virus, so even a user that has antivirus software installed could become a victim and not know. There is a window of exposure for all users between the release of a new virus and the release of new antivirus definitions. A system compromised during this period by both payloads could easily go unnoticed. The SMTP server of the secondary payload turns the user’s machine into a mail server for any spammer that wants to use it, with the bonus of no logs being kept, ie our spammer is now pretty much untraceable.
As if this wasn’t bad enough, the second stage payload downloads a third stage. This installs a hacked version of Wingate proxy and configures it to run as an open proxy server. The latest version of Sobig hit the Internet on August 18th and within three days had been declared the fastest spreading computer virus to date. The designs of all variants are similar in that they all download secondary and tertiary payloads that install open mail relays and proxy servers.
Most analysts agree that the evolution of this virus is an attempt to develop and test a delivery vector for creating a massive network of anonymous proxy servers and open SMTP relay servers for the purpose of spam.
Spam and the law
The Minister for Communications, the Marine and Natural Resources, Dermot Ahern, has recently introduced legislation to enact an EU directive concerning the processing of personal data and the protection of privacy in the electronic communications sector. This law is quite wide ranging, covering the rights of subscribers to determine which of their personal data is included in publicly available directories, the use of spyware and cookies and restrictions on unsolicited direct marketing by telephone, fax, automated calling systems, e-mail, SMS and MMS.
In short, private citizens must now opt-in for direct marketing campaigns and there must be a pre-existing relationship with business customers before they can be targeted with direct marketing. Although this legislation is most welcome, in the area of spam its effects are bound to be somewhat muted as the majority of spam originates either in the US or in Asia.
The Irish Honeynet, set up by Espion, Deloitte and Data Electronics, and operational since April 2002, is designed to mimic the Internet infrastructures commonly used by organisations, but it is ‘wired’ with detection sensors that capture all activity to and from the system. The Honeynet is not advertised in any way so any traffic to it from the Internet is suspicious by nature, as it arises from hackers and crackers who are deliberately attempting to identify and attack systems that are vulnerable.
Prevention is better than cure
There are a number of simple measures you can take to minimise the risk of your e-mail address appearing on junk-mail lists. The following suggestions come from the Spam Recycling Centre (www.spamrecycle.com) and the Centre for Democracy and Technology (www.cdt.org).
1. Never buy anything advertised in spam
Spammers are motivated by money. Like all advertisers, they make money by convincing people to buy a product. Advertising campaigns that fail are normally terminated.
2. Never respond to spam
Responding to spam confirms that your e-mail address is ‘live’ and makes it more likely to be traded with other spammers.
3. Disguise e-mail addresses posted in a public electronic place.
E-mail addresses on webpages receive the most spam. Spammers ‘harvest’ these addresses with computer programs (bots). If you must post your address in a public place, disguise the address by means such as replacing “example @ mail.com” with “example at domain dot com”. Opt out of member directories that place your e-mail address online.
4. Read carefully when filling out online forms requesting your e-mail address and exercise your choice.
If you don’t want to receive e-mail from a website operator, don’t give them your e-mail address. If you are asked for your e-mail address in an online setting such as a form, make sure you pay attention to check boxes that request the right to send you e-mails or share your e-mail address with partners. Read the privacy policies of websites, most sites do honour these.
5. Use multiple e-mail addresses.
When using an unfamiliar website or posting to a newsgroup, establish an e-mail address for that specific purpose. Alternatively, instead of just using one or two e-mail addresses, you can use ‘disposable e-mail addresses,’ which consolidate e-mail in a single location but allow you to immediately shut off any address that is attracting spam.
6. Use a spam filter.
7. Short e-mail addresses are easy to guess and may receive more spam.
Some spammers try to guess the e-mail addresses used by sending mail to short and common addresses.
For further information, visit www.deloitte.com/ie/honeynet, www.espion.ie, or www.honeynet.ie.
06/01/04
Subscribers 0
Fans 0
Followers 0
Followers