Gallery

Security without a smile

Posted on 8 Jul 2008 at 14:20

This month, Davey Winder isn't smiling about transactional security and gets his knickers in a twist over spam-address spoofing.

John kind of answers his own question later in the same message when he complains that some of his legitimate emails can't be sent to certain addresses because his own email address has found its way onto a blacklist or three. By using your email address the spammer doesn't suffer from this problem, or at least he doesn't suffer it as quickly. Volume and longevity is the name of the game, both closely intertwined because the longer a spammer can keep an account running, the more spam they can pump through it. It matters not whether it's some small-fry spammer operating off the back of a legit paid-for ISP, or an organised gang taking the botnet route, they all want to obfuscate and confuse the spam traps and those authorities that try to make them cease and desist. The simplest route for them to take is to spoof the "from" or "reply to" address line, which at least ensures that bounces don't bounce back to them, nor do the irate messages from people who don't like being spammed and haven't yet realised that to reply is pointless.

I'm all too aware of the spoofing problem, because by having a well-publicised email address I find myself on the receiving end of such nonsense all the time - I just let my spam filter deal with it, including the bounces, and get on with my life. I haven't yet found myself victim to the blacklisting problem, but if I did and discovered that as a result I couldn't send mail to someone I needed to, then I'd contact them directly and get myself removed from said blacklist as soon as possible.

There really is no escaping these spam spoofers, not even by keeping a special email address that's never published and one that only your closest friends know about: spam software can generate random sender addresses, often by trying every possible variation of one name at one domain until a hit is obtained, before moving on to the next. If you get caught in the flack, keep your head down for a few days and let it pass.

You might also be unlucky enough to fall victim to a malware infection on the computer of someone who has your details in their address book. Some malware can hunt down this information then add your address immediately to the spamming database, so you get copies of the infected mail, while also using those emails to distribute the spam to others.

If you want to play detective and have the time and patience to do so, then it's possible to examine the full email headers and look for the "received" lines. By following these received tracks back to the original you'll have, if nothing else, the IP address of the originating computer that sent the spam in the first place. The trouble is that this information is usually worthless, since the spam could have originated from a country that doesn't take the problem seriously, so complaining to an ISP there will have little effect. You can try complaining, and some people have had success in getting ISPs to shut down spammer accounts and to track back spambot networks in this way, but it's time-consuming work without any guarantee of success. Even if the spammer is closed down by one ISP, it will appear again within minutes at another.

If you hate spam for the inconvenience, why add to it? I believe there's only one way to stop it, and that's for people to stop responding to spam messages and stop buying the products. Simple supply and demand - if there's no consumer demand then nobody will pay the spammers to send this stuff and the problem will go away. Unfortunately, there are too many idiots out there for this to happen any time soon I fear.