|
|
Tons of E-mail SPAM is coming from you
(even if you didn't send it)...
Chances
are if you get SPAM, then somebody else in the world is getting SPAM with your
e-mail address on it. Whenever I tell people this, I usually get back a response
like “I’ve never sent SPAM to anybody! What on Earth are you talking
about?” I also get back this one: “My mail servers are so secure
that nobody can send mail that looks like it came from me.”
The fact of the
matter is that you don’t have to do anything to have somebody send SPAM
that looks like it came from you. Once your e-mail address is public (the result
of posting it on a web site, joining a commercial mailing list, posting on forums
or USENET groups, or other things), anybody else can use it as the return address
for their mail. The process of assigning an e-mail address to an e-mail that
wasn’t actually from the person at that address is known as “forging”
or “spoofing”. And there’s nothing the owner of the address
can do to stop it.
Forging can happen
no matter how secure your mail server is for one simple reason: Forged mail
doesn’t depend on your mail server at all. Forged e-mail isn’t processed,
“sent through”, or otherwise handled on the victim’s e-mail
server. (The person from whom the mail claims to be sent, when in fact it was
not sent by them, is referred to as the victim for the purpose of this article.)
The victim’s e-mail server isn’t involved in the process at all.
Since forged mail doesn’t come in contact with your mail server, there’s
nothing that you or your IT people can do to stop other people from using your
address.
Furthermore, spoofing
of an e-mail address doesn’t necessarily mean that your e-mail account
has been compromised. A spammer does not have to specifically use your e-mail
account to send a message that appears to be from you.
There are a number
of ways that mail can come from you when you didn’t send it. Here are
the two “biggies”:
Change
the “From” and “Reply-To” Addresses
Assume I am a spammer.
I decide that I am going to send 10,000 mails to people advertising a new “pharmaceutical
breakthrough” that is supposed to help cure some ailment (probably an
R-rated ailment at that). Obviously I don’t want the mail to appear as
though it came from me, as people would just block my e-mail address and my
SPAM wouldn’t be very effective. So I scour the web looking for e-mail
addresses and find one that I like. Now, I go into my mail software and set
up an e-mail account, specifying the address I just stole as the “From”
and/or “Reply To” addresses. Or, I can also just download a bulk
mailer program (many of which are freely available for download) and enter the
stolen address as the “From” address. That’s all there is
to it.
ISPs do try to
prevent those sending SPAM from doing this by telling their outgoing mail servers
not to send mail that isn’t “from” somebody at that ISP. That
is, the mail server at optonline.net won’t send mail unless it’s
from an address that has “@optonline.net” in the “From”
or “Reply-To” fields of the message. But, for ISPs to effectively
block mail that isn’t from somebody on their networks, every ISP and server
administrator in the world would have to set up their mail servers to follow
this policy. And it’s easy to get around, anyway. I can install my own
mail server that DOES allow you to send mail from any address and use it to
send the SPAM, bypassing my ISP’s servers entirely. Mail server software
is freely available on the Internet.
Of course, some
ISPs also block direct sending of mail, effectively blocking home-grown servers
from working. But, not every network administrator prevents the sending of e-mail
that bypasses their own servers, so this method is still a very effective way
to send SPAM. And, technically savvy spammers can get around ISP blocks.
Hijacked
Computers
The other “biggie”
is to trick a user into installing a program onto their computer that goes through
your address book and sends mail to everyone in it, as well as any other e-mail
addresses it finds. These programs also tend to turn your computer into a “SPAM
relay”. SPAM relays are computers that have software on them that basically
turns them into mail servers, allowing spammers to send SPAM through them. This
software also tends to be set up to alert its creator that the computer is infected,
and includes its IP address so the creator can now use that computer to send
their SPAM. Mails sent by these programs typically don’t show up in your
mail program’s Outbox because the SPAM programs generally don’t
use your mail program to send the mail. Instead, they steal the e-mail address
from your mail program and then send the SPAM themselves. This keeps the user
blissfully unaware that their computer is firing off thousands of SPAM messages
per day. Cable modem users tend to be the biggest victims of this, and many
don’t know it. Programs like Ad-Aware and SpyBot scan for these programs.
This SPAM relay software can often “get around” blocking that ISPs
try to institute.
These spamming
programs can be installed onto your computer in a number of ways:
- You could have
have downloaded a free program that had the malicious software included in
the install.
- The software
could have been installed using one of the many published vulnerabilities
in the Windows operating system. This one can be avoided by keeping your computer
up to date with Windows Update on a regular basis and by turning on Windows’
“Automatic Updates”. Programs exploiting these vulnerabilities
can be done without the user’s knowledge or intervention. Software that
exploits these Windows vulnerabilities is self-installing and often begins
to try to install itself onto other computers once it installs itself onto
yours.
- You could have
opened an e-mail attachment that contains the SPAMming program. The attachment
could be disguised as a picture, Windows Security Update, or other file. These
attachments often show up as being “From” an e-mail address that
you trust. This happens when somebody who has your e-mail address in their
Address Book gets infected with the SPAM software, and the software then sends
itself to everyone in that person’s address book (which you happen to
be listed on).
A couple of other
notes of interest:
- Just because
your ISP filters your incoming e-mail for SPAM doesn’t mean you’re
protected from spoofing. Your ISP’s servers and filters are completely
out of the loop when it comes to spoofing.
- ISP SPAM filters
for their user’s mailboxes tend to filter incoming mail only. That is,
they filter only mail addressed TO you, not FROM you. Even so, since the ISP’s
servers aren’t involved in sending or receiving SPAM with your e-mail
address forged in it, their filters won’t have any effect.
The lesson here
is: Make sure the mail you’re looking at is actually from the person listed
in the mail as having sent it. A few ways of doing this: You could look at the
message headers to determine where the message really came from (an article
in itself, so I’m not going to go into it here):
- Also, you could
look at who the message is from. Most of the time when a user sends a legitimate
e-mail to another, the message contains the sender’s real name (in addition
to the address) in the “From” field. If the “From”
field lists only an e-mail when you normally see the sender’s name,
beware.
- Third, you can
look at the subject of the message. SPAM subjects are often easy to figure
out. Even if the subject is not easy to spot, you should be able to reasonably
tell as to whether the person who “sent” you the message would
have sent you a message with that particular subject.
- And finally,
whether the person listed as sending the message actually sent it or not,
be extremely wary of attachments. An attachment can be made to look like a
picture file when in fact it is a program to install a virus. Even the icon
that appears can be changed. Installing anti-virus software and keeping it
up to date should help combat accidental opening of malicious attachments.
I don’t know
what I’ll be talking about next time just yet, so stay tuned!
By
Chris Hyzer, Systems Manager
Southeastern
News Online is published bi-monthly by SENYLRC staff.
|
