Spam Simplified
by bill (a.k.a. fsu_tkd90)
I have been a loyal reader of 2600 since 2000 and have wanted to write an article for some time. But I never knew what to write about. After much thought, I decided to write about my biggest headache at work, the mysterious and hidden world of email spam.
The Legal Side
Let's not forget that the act of sending spam is illegal.
If you wish to read more about the laws relating to spam do some Google searches on the following items:
- The CAN-SPAM Act of 2003 was signed into law by President George W. Bush on December 16, 2003.
- The acronym "CAN-SPAM" derives from the bill's full name: Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003.
- 15 U.S.C. §7701, et seq., Public Law No. 108-187, was S.877 of the 108th United States Congress: www.spamlaws.com/pdf/pl108-187.pdf
Let's Get Started
A virus writer (also called overseer or bot herder) uses Command and Control (C&C) servers to infect unsecured business computers or ordinary home computers for the purpose of using system resources.
Resources can include, but are not limited to, disk space, bandwidth, anonymity, or system process power. Once infected, these computers are called zombies (also called zombie drones or bots) and a group of zombies is called a botnet.
Using botnets to route spam is standard practice because it obfuscates the true identity of the spammer, it allows a single spam source spread out over multiple IP Addresses, and it allows spammers to avoid DNSBLs or other filters.
Bot herders can also steal passwords, engage in extortion, or perform Distributed Denial-of-Service (DDoS) attacks from infected machines.
For example, McColo is a Northern California based Internet Service Provider (ISP) which was responsible some of the largest botnets in the wild. These botnets included Rustock, Srizbi, Pushdo and Ozdok. In November 2008, McColo was taken offline, causing the amount of spam levels to drop 60 to 75%. However, this was a short lived victory because, by January 2009, spammers were back in business and stronger than ever.
What Makes Creating Botnets So Easy? - IRC
The Internet Relay Chat (IRC) protocol was originally created by Jarkko Oikarinen in 1988 so people could chat in real time over networks.
It operates on systems using the TCP/IP network protocol. A typical setup involves a single server forming a central point for clients (or other servers) to connect to, while performing the required message delivery/multiplexing and other functions.
IRC's powerful scripting language includes support for raw socket connections, port scanning, packet flooding, Bounce (BNC) and timers. It is this powerful scripting language that gets exploited by the malicious code writer.
See below for explanations:
- Raw Socket Connection: Are part of the underlying operating system's networking API and allow direct access to packet's headers.
- Port Scanning: Software application designed to search for a network hosts open ports. There are many free port scanning tools available on the web. My favorite is Nmap and is available for free at nmap.org.
- Flooding: Attack that sends connection requests faster than a machine can process them.
- Cloning: In this case it is referred to as two identical connections to the same IRC server.
- Bounce: The process of using a computer other than your own as a gateway to an IRC server.
- Timers: Allow commands to be executed repeatedly with a specific delay.
IRC worms/bots are spread using both self-replicating tools and social networking.
These self-replicating tools exploit the Direct Client-to-Client message (DCC) capability in the IRC scripting language. The most popular method of self-replicating was to take advantage of Microsoft's Server Message Block (SMB) protocol in Windows file sharing. Or AOL's Open System for CommunicAtion in Realtime (OSCAR) protocol in AIM while social networking.
Other variants were spread through Peer-to-Peer (P2P) applications such as Kazaa. The Mydoom virus (introduced to the wild in January 2004) gave spreading IRC worms e-mail capability.
In order to hide, IRC bots install into Windows system directories. These directories may include C:\WINDOWS\FONTS, C:\WINDOWS\INF, C:\WINDOWS\SYSTEM32\CATROOT.
Some IRC bots install REG files to infect the registry every time the computer reboots. Due to the open-source nature of bots, they can be rewritten, reused, rearranged, or modified to suite the malicious code writer. Some of the most talked about bots in the wild are Nugache and Phatbot.
Why Is Spam So Easy to Send? - The SMTP Vulnerability
The e-mail system is flawed and is easily exploited by the mass e-mailer at the SMTP Level.
All e-mail on the Internet is sent using a protocol called Simple Mail Transfer Protocol (SMTP). The SMTP server is the Internet's mailman. It accepts your message and finds a way to deliver it. SMTP also captures information about the route that an e-mail message takes from the sender to the recipient.
Each transfer between computers is called a hop and all of the hops are called the route. In actuality, the SMTP protocol provides no security: this means your e-mail is not private, it can be altered en route, and there is no way to validate the identity of the e-mail source and no way to tell if the message was tampered with.
This lack of security in SMTP, and specifically the lack of reliable information identifying the e-mail source, is what spammers exploit.
The E-Mail Message
An e-mail message consists of two parts: headers and body.
Headers provide information about the e-mail's origin and the route by which the e-mail message has traveled. A single e-mail message can contain many headers. Unfortunately, e-mail headers are unreliable since they can all be easily forged:
- The last-bottom Received header in any message is actually the first one put on it. It should identify the first e-mail server that handled the message and its intended recipient.
- You can't trust any headers, except maybe the top-most.
E-Mail Header Examination
E-Mail Spoofing
Changing header information can also known as spoofing.
Spoofing conceals the identity of the sender by impersonating as another computing system.
A Basic Example of How to Spoof
If desired, type message text, then press "Enter".
To end, type a period (.), and then press "Enter" again.
If mail is working properly, you should see a response indicating that mail is queued for delivery.
A Real Life Spoofing Example
Mass e-mailers will spoof a legitimate e-mail service such as Yahoo!, Hotmail, Google, EarthLink, etc.
This works until the e-mail service blocks the mass e-mailer. The spammer will send between 100 and 500 e-mails before having the connection blocked. This method is primarily used in 419 scams and is hard for anti-spam filters because the spam is coming from a valid domain.
How Do Spammers Connect to Internet?
- Purchase an upstream connection from spam-friendly ISPs (may even use a "Pink Contract").
- Purchase connectivity from non-spam friendly ISPs and spam until they are shut down, then switch to another ISP. This is not a preferred method, as the spammer can face prosecution.
- Purchase ISP roaming access using false names and untraceable payment methods. This method is combined with open proxies to bypass ISP restrictions.
- Obtain a pool of dispensable dial-up IP addresses and proxy traffic through these connections. IP pools are used to define ranges of IP addresses that are used for DHCP server and point-to-point servers.
- Look for hosting in other countries that are more lenient about such things and more interested in money than in ethics.
- Use open or unsecured wireless connections.
- Public Internet cafes.
- Certain universities' on-campus networks are free and do not require authentication.
Open mail relays and open proxies are mail servers which allow unauthenticated Internet hosts to connect through them to other computers on the Internet or send e-mails through them.
They are located both in the U.S. and abroad. The more open relays a spammer can use, the harder the spammer is to trace. Spammers like to send e-mail, but they don't like to get caught or blocked.
The more anonymous open mail relays and open proxies are mail servers which allow unauthenticated Internet hosts to connect through them to other computers on the Internet or send e-mails through them. They are located both in the U.S. and abroad.
The more open relays a spammer can use, the harder the spammer is to trace. Spammers like to send e-mail, but they don't like to get caught or blocked. The more anonymous they are while sending mail, the harder it is to stop them.
You can use the following link to check if your mail relay is open: www.checkor.com
To Rent or Not to Rent?
At this point, the virus writer can either rent out the botnet or send spam themselves.
Price estimates on botnet rentals vary. They might cost about $25.00 USD per spam campaign or DDoS event, or $500.00 for a day or two.
Bulk E-Mail Tools
There are thousands, if not hundreds of thousands, of bulk e-mail tools available for the mass e-mailer.
Some are free, but most cost under $500.00 USD. Some features of bulk e-mail applications include, but are not limited to, having a built-in e-mail server (so that it does not need the ISP's server), sending e-mails by schedule, support for HTML/text e-mails with multiple attachments, an automatic unsubscribe feature (this feature sends e-mail to a dropbox so that it can retrieved by the spammer), and adjustable sending speed.
Some can send 500,000 messages per hour over simultaneous connections, hide the spammer's identity automatically by adding random headers, search for open relays and proxies with which to route e-mail, and distribute the outgoing load over many open proxies.
www.softsea.com/software/Bulk-E-mail-Software.html is a site that offers reviews of bulk e-mail tools.
Some bulk e-mail tools include:
Spam Signature
Everyone and everything has a unique signature and unique characteristics.
ISPs, e-mails, spam, viruses, botnets, etc. are no different, they all have electronic signatures. The signature identifies the spam campaign. It could be in the form of a unique, indistinguishable string of letters and or numbers that represents an e-mail server or a unique URL embedded in the body or in the header. Parts of the message header could be hashed into a message digest, or spam signature.
Below are examples of message digests or spam signatures:
- 64AOGHMFBGGIG53PGEEKKOCHFDOMIOAA21
- www.unique_no_work_viagra.com
- Message Header Line: X-Mailer: The Bat! (v2.00.8) Personal
- Message Header Line: X-Mailer: The Bat! (v3.71.04) Educational
- Message Header Line: X-Mailer: The Bat! (v2.00.9) Business
This data is used by some content filtering systems to assign a higher Spam Confidence Level (SCL) to known spam.
A rating of 0 indicates that the message is highly unlikely to be spam, while a rating of 9 indicates that the message is very likely spam. The SCL rating is stored as an attribute of the message.
Final Thoughts
Thank you, to all employees at 2600 for publishing my article as well all loyal readers for reading my article. As mass e-mail is not my chosen profession, I welcome any input from fellow 2600 readers.
References
Request for Comments (RFC) posted by the Internet Engineering Task Force (IETF) and known as RFC 2821. www.faqs.org/rfcs/rfc2821.html
Anti-Virus Research - Flooding from the Underground: A Global Threat
National Do Not E-mail Registry: A Report To Congress, June 2004. www.ftc.gov/reports/dneregistry/report.pdf
Spoofing Example. antionline.com/showthread.php?t=265200
CentralOps.net: Investigate Any Internet Resource
Protect yourself. www.spam-site.com/5-zero-cost-spam-solutions.shtml
Spamming Botnets: Signatures and Characteristics
Spam Double-Funnel: Connecting Web Spammers with Advertisers
IRC Links