Spam email delivery
Encyclopedia
Since Internet users and system administrator
s have deployed a vast array of techniques to block, filter, or otherwise banish spam from users' mailboxes and almost all Internet service provider
s forbid the use of their services to send spam or to operate spam-support services, special techniques are employed to deliver spam emails. Both commercial firms and volunteers run subscriber services dedicated to blocking or filtering spam.
, to send spam or to receive e-mailed responses from potential customers. Because of the amount of mail sent by spammers, they require several e-mail accounts, and use web bots to automate the creation of these accounts.
In an effort to cut down on this abuse, many of these services have adopted a system called Captcha
: users attempting to create a new account are presented with a graphic of a word, which uses a strange font, on a difficult to read background. Humans are able to read these graphics, and are required to enter the word to complete the application for a new account, while computers are unable to get accurate readings of the words using standard OCR
techniques. Blind users of captchas typically get an audio sample.
Spammers have, however, found a means of circumventing this measure. Reportedly, they have set up sites offering free pornography
: to get access to the site, a user displays a graphic from one of these webmail sites, and must enter the word. Once the bot has successfully created the account, the user gains access to the pornographic material. Furthermore, standard image processing techniques work well against many Captchas.
s towards the other systems rather than the spammers themselves. The increasing broadband usage gave rise to a great number of computers that are online as long as they are turned on, and whose owners do not always take steps to protect them from malware
. A botnet
consisting of several hundred compromised machines
can effortlessly churn out millions of messages per day. This also complicates the tracing of spammers.
s. An open relay is an MTA
, or mail server, which is configured to pass along messages sent to it from any location, to any recipient. In the original SMTP mail architecture, this was the default behavior: a user could send mail to practically any mail server, which would pass it along towards the intended recipient's mail server.
The standard was written in an era before spamming when there were few hosts on the internet, and those on the internet abided by a certain level of conduct. While this cooperative, open approach was useful in ensuring that mail was delivered, it was vulnerable to abuse by spammers. Spammers could forward batches of spam through open relays, leaving the job of delivering the messages up to the relays.
In response, mail system administrators concerned about spam began to demand that other mail operators configure MTAs to cease being open relays. The first DNSBL
s, such as MAPS RBL and the now-defunct ORBS, aimed chiefly at allowing mail sites to refuse mail from known open relays. By 2003 less than 1% of corporate mail servers were available as open relays, down from 91% in 1997.
. A proxy
is a network service for making indirect connections to other network services. The client connects to the proxy and instructs it to connect to a server. The server perceives an incoming connection from the proxy, not the original client. Proxies have many purposes, including Web-page caching, protection of privacy, filtering of Web content, and selectively bypassing firewalls.
An open proxy is one which will create connections for any client to any server, without authentication. Like open relays, open proxies were once relatively common, as many administrators did not see a need to restrict access to them.
A spammer can direct an open proxy to connect to a mail server, and send spam through it. The mail server logs a connection from the proxy—not the spammer's own computer. This provides an even greater degree of concealment for the spammer than an open relay, since most relays log the client address in the headers of messages they pass. Open proxies have also been used to conceal the sources of attacks against other services besides mail, such as Web sites or IRC
servers. As spam from proxies and other "spammable" resources grew, DNSBL operators started listing their IP addresses, as well as open relays.
script to allow Web-site users to send e-mail feedback from an HTML form. Several versions of this program, and others like it, allowed the user to redirect e-mail to arbitrary addresses. Spam sent through open FormMail scripts is frequently marked by the program's characteristic opening line: "Below is the result of your feedback form."
The ‘tell a friend about this page’ features some websites offer may be vulnerable by design in that they allow the visitor to add their message to the email that is sent. Consequently, such scripts are often abused to send spam, particularly so-called 419 scams; apparently, the spammers are happy for their messages to include a plug on the lines of ‘your friend wanted to tell you about this web page’.
es designed to deploy proxies and other spam-sending tools, spammers could harness hundreds of thousands of end-user computers. The widespread change from Windows 9x
to Windows XP
for many home computers, which started in early 2002 and was well under way by 2003, greatly accelerated the use of home computers to act as remotely-controlled spam proxies. The original version of Windows XP as well as XP-SP1 had several major vulnerabilities that allowed the machines to be compromised over a network connection without requiring actions on the part of the user or owner. While Windows 2000
had similar vulnerabilities, that operating system was never widely used on home computers.
Most of the major Windows
e-mail viruses of 2003, including the Sobig and Mimail
virus families, functioned as spammer viruses: viruses designed expressly to make infected computers available as spamming tools.
Besides sending spam, spammer viruses serve spammers in other ways. Beginning in July 2003, spammers started using some of these same viruses to perpetrate distributed denial-of-service (DDoS) attacks upon DNSBLs and other anti-spam resources. Although this was by no means the first time that illegal attacks have been used against anti-spam sites, it was perhaps the first wave of effective attacks.
In August of that year, engineering company Osirusoft ceased providing DNSBL mirrors of the SPEWS and other blocklists, after several days of unceasing attack from virus-infected hosts. The very next month, DNSBL operator Monkeys.com succumbed to the attacks as well. Other DNSBL operators, such as Spamhaus
, have deployed global mirroring and other anti-DDoS methods to resist these attacks.
Zombie networks
are particularly active in North America where about half of the Internet users are on a broadband
connection and many leave their computers on all the time. In January, 2008, 8% of all e-mail spam was sent by the Storm botnet
, created by the Storm Worm
, first released in January, 2007. It is estimated that as many as 1 million or more computers have been infected and their owners are unwilling and unknowing participants. In the 3rd quarter of 2008 almost one in every 400 email messages contained a dangerous attachment, designed to infect the recipient’s computer, eight times as often as in the previous quarter.
System administrator
A system administrator, IT systems administrator, systems administrator, or sysadmin is a person employed to maintain and operate a computer system and/or network...
s have deployed a vast array of techniques to block, filter, or otherwise banish spam from users' mailboxes and almost all Internet service provider
Internet service provider
An Internet service provider is a company that provides access to the Internet. Access ISPs directly connect customers to the Internet using copper wires, wireless or fiber-optic connections. Hosting ISPs lease server space for smaller businesses and host other people servers...
s forbid the use of their services to send spam or to operate spam-support services, special techniques are employed to deliver spam emails. Both commercial firms and volunteers run subscriber services dedicated to blocking or filtering spam.
Webmail
A common practice of spammers is to create accounts on free webmail services, such as HotmailHotmail
Windows Live Hotmail, formerly known as MSN Hotmail and commonly referred to simply as Hotmail, is a free web-based email service operated by Microsoft as part of its Windows Live group. It was founded by Sabeer Bhatia and Jack Smith and launched in July 1996 as "HoTMaiL". It was one of the first...
, to send spam or to receive e-mailed responses from potential customers. Because of the amount of mail sent by spammers, they require several e-mail accounts, and use web bots to automate the creation of these accounts.
In an effort to cut down on this abuse, many of these services have adopted a system called Captcha
CAPTCHA
A CAPTCHA is a type of challenge-response test used in computing as an attempt to ensure that the response is generated by a person. The process usually involves one computer asking a user to complete a simple test which the computer is able to generate and grade...
: users attempting to create a new account are presented with a graphic of a word, which uses a strange font, on a difficult to read background. Humans are able to read these graphics, and are required to enter the word to complete the application for a new account, while computers are unable to get accurate readings of the words using standard OCR
Optical character recognition
Optical character recognition, usually abbreviated to OCR, is the mechanical or electronic translation of scanned images of handwritten, typewritten or printed text into machine-encoded text. It is widely used to convert books and documents into electronic files, to computerize a record-keeping...
techniques. Blind users of captchas typically get an audio sample.
Spammers have, however, found a means of circumventing this measure. Reportedly, they have set up sites offering free pornography
Internet pornography
Internet pornography is pornography that is distributed by means of various sectors of the Internet, primarily via websites, peer-to-peer file sharing, or Usenet newsgroups...
: to get access to the site, a user displays a graphic from one of these webmail sites, and must enter the word. Once the bot has successfully created the account, the user gains access to the pornographic material. Furthermore, standard image processing techniques work well against many Captchas.
Third-party computers
Early on, spammers discovered that if they sent large quantities of spam directly from their ISP accounts, recipients would complain and ISPs would shut their accounts down. Thus, one of the basic techniques of sending spam has become to send it from someone else's computer and network connection. By doing this, spammers protect themselves in several ways: they hide their tracks, get others' systems to do most of the work of delivering messages, and direct the efforts of investigatorDetective
A detective is an investigator, either a member of a police agency or a private person. The latter may be known as private investigators or "private eyes"...
s towards the other systems rather than the spammers themselves. The increasing broadband usage gave rise to a great number of computers that are online as long as they are turned on, and whose owners do not always take steps to protect them from malware
Malware
Malware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...
. A botnet
Botnet
A botnet is a collection of compromised computers connected to the Internet. Termed "bots," they are generally used for malicious purposes. When a computer becomes compromised, it becomes a part of a botnet...
consisting of several hundred compromised machines
Zombie computer
In computer science, a zombie is a computer connected to the Internet that has been compromised by a cracker, computer virus or trojan horse and can be used to perform malicious tasks of one sort or another under remote direction. Botnets of zombie computers are often used to spread e-mail spam...
can effortlessly churn out millions of messages per day. This also complicates the tracing of spammers.
Open relays
In the 1990s, the most common way spammers did this was to use open mail relayOpen mail relay
An open mail relay is an SMTP server configured in such a way that it allows anyone on the Internet to send e-mail through it, not just mail destined to or originating from known users...
s. An open relay is an MTA
Mail transfer agent
Within Internet message handling services , a message transfer agent or mail transfer agent or mail relay is software that transfers electronic mail messages from one computer to another using a client–server application architecture...
, or mail server, which is configured to pass along messages sent to it from any location, to any recipient. In the original SMTP mail architecture, this was the default behavior: a user could send mail to practically any mail server, which would pass it along towards the intended recipient's mail server.
The standard was written in an era before spamming when there were few hosts on the internet, and those on the internet abided by a certain level of conduct. While this cooperative, open approach was useful in ensuring that mail was delivered, it was vulnerable to abuse by spammers. Spammers could forward batches of spam through open relays, leaving the job of delivering the messages up to the relays.
In response, mail system administrators concerned about spam began to demand that other mail operators configure MTAs to cease being open relays. The first DNSBL
DNSBL
A DNSBL is a list of IP addresses published through the Internet Domain Name Service either as a zone file that can be used by DNS server software, or as a live DNS zone that can be queried in real-time...
s, such as MAPS RBL and the now-defunct ORBS, aimed chiefly at allowing mail sites to refuse mail from known open relays. By 2003 less than 1% of corporate mail servers were available as open relays, down from 91% in 1997.
Open proxies
Within a few years, open relays became rare and spammers resorted to other tactics, most prominently the use of open proxiesOpen proxy
An open proxy is a proxy server that is accessible by any Internet user. Generally, a proxy server allows users within a network group to store and forward Internet services such as DNS or web pages to reduce and control the bandwidth used by the group...
. A proxy
Proxy server
In computer networks, a proxy server is a server that acts as an intermediary for requests from clients seeking resources from other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource available from a different server...
is a network service for making indirect connections to other network services. The client connects to the proxy and instructs it to connect to a server. The server perceives an incoming connection from the proxy, not the original client. Proxies have many purposes, including Web-page caching, protection of privacy, filtering of Web content, and selectively bypassing firewalls.
An open proxy is one which will create connections for any client to any server, without authentication. Like open relays, open proxies were once relatively common, as many administrators did not see a need to restrict access to them.
A spammer can direct an open proxy to connect to a mail server, and send spam through it. The mail server logs a connection from the proxy—not the spammer's own computer. This provides an even greater degree of concealment for the spammer than an open relay, since most relays log the client address in the headers of messages they pass. Open proxies have also been used to conceal the sources of attacks against other services besides mail, such as Web sites or IRC
Internet Relay Chat
Internet Relay Chat is a protocol for real-time Internet text messaging or synchronous conferencing. It is mainly designed for group communication in discussion forums, called channels, but also allows one-to-one communication via private message as well as chat and data transfer, including file...
servers. As spam from proxies and other "spammable" resources grew, DNSBL operators started listing their IP addresses, as well as open relays.
Web scripts
Besides relays and proxies, spammers have used other insecure services to send spam. One example is FormMail.pl, a CGICommon Gateway Interface
The Common Gateway Interface is a standard method for web servers software to delegate the generation of web pages to executable files...
script to allow Web-site users to send e-mail feedback from an HTML form. Several versions of this program, and others like it, allowed the user to redirect e-mail to arbitrary addresses. Spam sent through open FormMail scripts is frequently marked by the program's characteristic opening line: "Below is the result of your feedback form."
The ‘tell a friend about this page’ features some websites offer may be vulnerable by design in that they allow the visitor to add their message to the email that is sent. Consequently, such scripts are often abused to send spam, particularly so-called 419 scams; apparently, the spammers are happy for their messages to include a plug on the lines of ‘your friend wanted to tell you about this web page’.
Spammer viruses
In 2003, spam investigators saw a radical change in the way spammers sent spam. Rather than searching the global network for exploitable services such as open relays and proxies, spammers began creating "services" of their own. By commissioning computer virusComputer virus
A computer virus is a computer program that can replicate itself and spread from one computer to another. The term "virus" is also commonly but erroneously used to refer to other types of malware, including but not limited to adware and spyware programs that do not have the reproductive ability...
es designed to deploy proxies and other spam-sending tools, spammers could harness hundreds of thousands of end-user computers. The widespread change from Windows 9x
Windows 9x
Windows 9x is a generic term referring to a series of Microsoft Windows computer operating systems produced since 1995, which were based on the original and later modified Windows 95 kernel...
to Windows XP
Windows XP
Windows XP is an operating system produced by Microsoft for use on personal computers, including home and business desktops, laptops and media centers. First released to computer manufacturers on August 24, 2001, it is the second most popular version of Windows, based on installed user base...
for many home computers, which started in early 2002 and was well under way by 2003, greatly accelerated the use of home computers to act as remotely-controlled spam proxies. The original version of Windows XP as well as XP-SP1 had several major vulnerabilities that allowed the machines to be compromised over a network connection without requiring actions on the part of the user or owner. While Windows 2000
Windows 2000
Windows 2000 is a line of operating systems produced by Microsoft for use on personal computers, business desktops, laptops, and servers. Windows 2000 was released to manufacturing on 15 December 1999 and launched to retail on 17 February 2000. It is the successor to Windows NT 4.0, and is the...
had similar vulnerabilities, that operating system was never widely used on home computers.
Most of the major Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
e-mail viruses of 2003, including the Sobig and Mimail
Mimail
Mimail is a computer worm which first emerged in August of 2003; it is transmitted via e-mail. Since its initial release, nearly two dozen variants of the original Mimail worm have appeared. The Mydoom worm, which emerged in January 2004, was initially believed to be a variant of Mimail. Mimail is...
virus families, functioned as spammer viruses: viruses designed expressly to make infected computers available as spamming tools.
Besides sending spam, spammer viruses serve spammers in other ways. Beginning in July 2003, spammers started using some of these same viruses to perpetrate distributed denial-of-service (DDoS) attacks upon DNSBLs and other anti-spam resources. Although this was by no means the first time that illegal attacks have been used against anti-spam sites, it was perhaps the first wave of effective attacks.
In August of that year, engineering company Osirusoft ceased providing DNSBL mirrors of the SPEWS and other blocklists, after several days of unceasing attack from virus-infected hosts. The very next month, DNSBL operator Monkeys.com succumbed to the attacks as well. Other DNSBL operators, such as Spamhaus
The Spamhaus Project
The Spamhaus Project is an international organisation to track e-mail spammers and spam-related activity. It is named for the anti-spam jargon term coined by Linford, spamhaus, a pseudo-German expression for an ISP or other firm which spams or willingly provides service to spammers.-Spamhaus...
, have deployed global mirroring and other anti-DDoS methods to resist these attacks.
Zombie networks
Zombie computer
In computer science, a zombie is a computer connected to the Internet that has been compromised by a cracker, computer virus or trojan horse and can be used to perform malicious tasks of one sort or another under remote direction. Botnets of zombie computers are often used to spread e-mail spam...
are particularly active in North America where about half of the Internet users are on a broadband
Broadband Internet access
Broadband Internet access, often shortened to just "broadband", is a high data rate, low-latency connection to the Internet— typically contrasted with dial-up access using a 56 kbit/s modem or satellite Internet with inherently high latency....
connection and many leave their computers on all the time. In January, 2008, 8% of all e-mail spam was sent by the Storm botnet
Storm botnet
The Storm botnet or Storm worm botnet is a remotely controlled network of "zombie" computers that have been linked by the Storm Worm, a Trojan horse spread through e-mail spam...
, created by the Storm Worm
Storm Worm
The Storm Worm is a backdoor Trojan horse that affects computers using Microsoft operating systems, discovered on January 17, 2007...
, first released in January, 2007. It is estimated that as many as 1 million or more computers have been infected and their owners are unwilling and unknowing participants. In the 3rd quarter of 2008 almost one in every 400 email messages contained a dangerous attachment, designed to infect the recipient’s computer, eight times as often as in the previous quarter.