Best of the ISP-Lists

General

Spammers, Picking the
Pockets of ISPs Everywhere

Members of the ISP-Tech list discuss the downside of e-mail address spoofing spam, wondering if there is any recourse for those that seek a permanent solution.

[October 11, 2002]

On the ISP-Tech discussion list in October, RR asked:

"Has anyone been getting spam from the address of someone you know (or with their real name attached to a bogus address)? I thought I was imagining conspiracies until today when I got spam from a co-worker with an uncommon name. He definitely didn't send it. I want to know how spammers are getting this information. Has anyone else run into this yet?"

[LC suggested] "They have your name and the other person's name in their database. It’s easy enough to select two different names from their database that haven't bounced in the past (verified as deliverable) with the same @recipient.domain. You can stop such forgeries by requiring the sending IP to have matching A + PTR records when it alleges to be sending MAIL FROM:@yourdomain."

But RR replied: "They are using different domains."

[MR vented] "I'm getting users e-mailing me asking who this is and I reply, ‘this is Mike, who's this?’ They seem to be getting e-mail message from my e-mail address, yet I am not sending these e-mails. I'm fairly sure I don't have a virus because I run Norton. It has protected me so far. So I think someone is forging my e-mail address. Are you guys familiar with this tactic? Is it common practice?

I don't understand; if professional spammers believe that spamming is fair, then why would they be forced to hide themselves? Obviously they don't understand the concept of advertising. Spamming is Stealing!

Spammers are profiting from my company's bandwidth without permission. I think I'm going to have to change my e-mail. See what it's come to? The innocent are forced to change, not the criminals. I'm sorry for venting, I’m just sick of the 1,000's of spam messages I get in my inbox each day."

[LC replied] "All e-mail headers are forgeable. Not one is trustable. Most spammers/forgers send from IPs that have no reverse delegation at all, or the sending IP's A + PTR records don't match. So if every ISP did their forward and reverse DNS correctly, and used this DNS validation technique, we'd be a lot better off."

Others have also been irritated by forged headers:

[KW remembered] "Someone recently forged an e-mail address that I used to use. The address has not been valid since the end of '98. It’s all over a few groups I used to frequent. Especially bad, since it came up when my boss got an e-mail complaint from a lady who said I was sending her porn spam. He laughed but I was less than amused—to say the least."

[PH complained] "Quite possibly your e-mail address was picked to be the return address for a piece of spam. I've gotten a few cases of mine picked for people totally unrelated to any of my networks."

[JL added] "This is not a ‘new’ tactic. Spammers have been randomly spoofing ‘from’ addresses using the same mailing list software which generates the ‘to’ addresses for at least a year. The recent increase of such types of spam makes the technique more obvious. You're simply on one (probably many) of their lists."

It seemed there was no recourse:

[KW said] "I wish I had the full headers of said spam. I would have gone to great lengths to find the perp(s)."

[LC replied] "That would have been a great waste of time since the Received: headers you would have needed were probably forged or missing."

[KW replied] "You are right of course. I Googled the e-mail address in question and surprisingly the first hit that came up was from news.admin.net-abuse.sightings and had the spam in question with some headers. All I can tell from the headers is that they spoofed the hostname, including the old e-mail address, and bounced it off a machine in Mi.it, which was then delivered to someone at tyner.mail.mindspring.net. Bah."

—End