Conlang: Re: OT: email hijacked? (H. S. Teoh, May 5 '05, 16:34)

Re: OT: email hijacked?

From:	H. S. Teoh <hsteoh@...>
Date:	Thursday, May 5, 2005, 16:34

From:

H. S. Teoh <hsteoh@...>

Date:

Thursday, May 5, 2005, 16:34

On Thu, May 05, 2005 at 05:41:09PM +0200, Carsten Becker wrote:

> Hey, time to mutter about spam again ... > > On Wednesday 04 May 2005 21:16 CEST, Damian Yerrick wrote: > > > Nobody expects the Spammish Inquisition! > > http://spamcop.net/ > > Paste headers+body into the form and report the spamming > > b*st*rds to their ISPs. > > I don't believe that helps much: I only get at least two > spam mails from the same address. And recently most spams > came from ...@zipmail.co.br for some reason.

Actually, services like spamcop *do* help, at least in tracking down the big-time spammers. Most people are unaware of this, but the From: address in email is completely forgeable, and trivially so. It is not surprising you never get spams from the same address over time; the From: address is forged to prevent easy tracking to the spammer. Nevertheless, provided you submit the spam with full mail headers (and not just the message body), Spamcop is well able to track down the real source of the spam. (Most of the time, the real source has absolutely no relation to what is claimed in the From: address.) At least, it is able to narrow down the source of spam to the ISP that the spammer is using. Spamcop is well-known for taking active efforts to contact the ISP and request for appropriate countermeasures. Many spam operations have been shut down in the past through these types of specific complaints. (Unfortunately, because of the sad state of spam legislation, no further action can be taken against spammers other than removing them from the ISP, upon which they simply switch to another, less stringent ISP, of which there are unfortunately too many.)

> And for some other reason, my mail host's spam filter does not > filter out spam anymore, although the filter is switched on. The > suspicion that spammers must use anonymous or pretend-to-be email > sending software I have from getting spam from addresses like > 34kh.fj.39375@uni-goettingen.de or something like that.

As I said, the From: header is completely forgeable, and trivially so. It is an unfortunate design oversight of the email RFCs, which were written in a much more innocent day and age where mutual trust is implied between communicating parties. It was intended to provide flexibility in such cases when someone for whatever reason wishes to receive email replies at a different address from the one it is being sent from. In today's internet of sleaze mongers, scammers, and other savory characters, however, this feature turned out to be disastrous, as spammers have not only taken to completely forging the From: address, but also to sticking somebody else's legitimate address so that any vengeful response from the recipient would be directed at an unknowing, innocent third party.

> The most funny thing is when I get spam from @beckerscarsten.de or > @server32.greatnet.de (the server my page is on) with an address > before that @ that does not exist at all!

That is a typical spammer technique. Nothing new there.

> What really annoyed me today was a faked "Mail Delivery Error" spam, > titled _Mail Delivery (error: naranoieati@beckerscarsten.de)_, > coming from an address I have never sent an email to. And also, in > Germany, if not even in the entire EU, spam is forbidden IIRC, so > most spam I get actually comes from ex-Soviet countries or the > Americas.

[...] It depends. Sometimes a spam may *claim* to be coming from an ex-Soviet country or otherwise, or it may appear at first glance to be coming from such foreign places, whereas it is actually coming from a local source. Services such as Spamcop are able, in most cases, to track down the real source of the spam. In the case that the spammer is actually located in a place where it is illegal to spam, it may be possible to take action against them. It is also true, however, with the proliferation of the inherently insecure default configuration of Windows installations among end-users who are not well-informed with computers, especially in foreign countries where anti-spam laws are not in place, that spammers have taken to breaking into such PCs and using them as "zombies" to send spam in a way that makes it extremely difficult to trace to the real spammer. T -- When solving a problem, take care that you do not become part of the problem.

Replies