But I Don't Send SPAM - Or Do I?

SPAM infects all of our lives. As much as we actually get I bet your e-mail provider has probably blocked about 100-1000 pieces of SPAM you never saw. I host around 500 e-mail accounts and probably 900 actual addresses on my mail server. I block around 2 million, yes million pieces of certified SPAM each week! Where does it all come from, well dear reader there is a good chance it was you!

I am not going to get into the finite details of how SPAMMERS operate, because honestly that would be a book by itself and I am not sure I am the one to write it. I am going to provide a high level explanation though. There are two avenues SPAMMERS use to send their SPAM, from their servers and from remotely controlled computers all over the Internet.

The Good the Spam and the Ugly
by Steve H. Graham

Read more about this title...

What is SMTP?

Besides the human nature to be greedy SPAM exists because when the original specifications for the SMTP (Simple Mail Transport Protocol) protocol were being drafted and eventually accepted, they did not require authentication to send e-mail. You can read through the SMTP RFCs on your own to get the nitty gritty of how it all works. While your first reaction is why didn't they include authentication, when you really think about it, that would create an ugly scenario in and of itself. Which I am not going to get into the pro and con debate here.

Basically SMTP was created to specify how e-mail would be moved around the Internet. Requiring authentication would bring it to a screeching halt.

SPAM Blacklist

Computers that send SPAM quickly get blacklisted in services like www.spamhaus.org. These sites track known sources of SPAM and place the computer's IP address in a blacklist. The reason why the IP address and not the domain is placed in the blacklist is because a computer can send e-mail from any source. For example a typical hosting company may have thousands of domains from which it sends e-mail. Blocking a rouge domain would leave many more potential sources of SPAM wide open, when it can be completely stamped out by blocking the computer's IP address.

The Blacklist providers, well at least the valid ones, keep track of actual SPAM that has built up either through honeypots or through their internal SPAM filtering system. A honeypot is a computer or site on the Internet setup explicitly to catch evil doers. In the case of SPAM it might be a specific e-mail address only give to potential SPAMMERS or a server that evaluates the content coming from the Internet for its SPAMMINESS.  An IP address will typically not be permanently in these list, but will remain there for a long time. You can request to be removed, but you will often have to prove your SPAM issue has been resolved.

Because the blacklist block IP addresses, this makes unique IP addresses very valuable to a SPAMMER.


Some SPAMMERS are actually brave enough to send the junk mail from their own servers, but quickly find out that they will get blacklisted very fast. A common tactic for true SPAMMERS is to purchase large blocks of dial-up access in China and use those IP addresses to send their SPAM from. Because of this many SPAM algorithms evaluate the location of the source IP address to see if it is from a country loaded with sources of SPAM or not and add points to the SPAM score because of it.

This tactic seems to be utilized less and less, mostly because it adds financial overhead to the SPAMMER and makes it easy to be tracked down by law enforcement. Not to mention angry Internet users who can make death threats to the SPAMMER, not that I am condoning this activity.....

Contextual SPAM Scoring

I keep referring to algorithms that score SPAM. What I am referring to is contextual scoring algorithms that determine if the e-mail looks like SPAM. What actually happens is the e-mail headers and content are run through a long series of regular expressions to determine if there are any matches and add weighted points for each match. In my case I can control what point level constitutes SPAM. If the score is higher than my selected point value the e-mail is considered SPAM and it is removed form further processing and the end user never sees it.

There are many SPAM detection and scoring systems that can be integrated with most e-mail servers. SPAM Assassin is by far the most popular system. While it is an open source solution and technically free, it is not for the faint of heart to manage. It works on a large set of regular expressions that need to continually be updated from a central source and your own research.

SpamAssassin: A Practical Guide to Integration and Configuration
by Alistair McDonald

Read more about this title...

Trojans and Viruses

The second method SPAMMERS use if remotely controlled computers, which are typically home and business computers that have been compromised with a virus. Many times these will be in the form of a RootKit, which is a virus that runs underneath the operating system close to the metal. They are very hard to detect and remove.

Professional Rootkits (Programmer to Programmer)
by Ric Vieler

Read more about this title...

These viruses are controlled remotely by the SPAMMER to send a piece of SPAM to a desired e-mail address. Since the Trojans run in the background most users will never know they exist. They may notice their computers are a little sluggish, but have no real indication the virus is so malicious.

This is why for common users it is so important to use real virus scanning software like AVG. Norton is a fine commercial product, but from my experience it is very weak. Plus it causes machines to run extremely slow once it is up and running.

Since the SPAMMER's e-mails are being sent from their army of remotely controlled computers if an IP address gets blocked they just take it out of the rotation till a new IP address is applied to the computer. That is right a new IP address. Either with an old dial-up IP address or a semi-dedicated IP address through DSL or Cable the SPAMMER sends their e-mail from your computers.

Every so often the broadband Internet providers rotate assigned IP addresses to their clients. This means the infected machine will get a new IP address that can send the SPAM. At the same time an unsuspecting user will inherit the bad or blocked IP address. This can be a problem that affects a few of my clients each month. They cannot send e-mail through their provider anymore. Their IP address is in the Blacklist. It could be them that is sending the SPAM, it may not be since they inherited a bad IP address.

The best way for me to check is to plug their Internet IP address into www.SenderBase.org. This is a great site that will tell you how many e-mails your IP address sends out in a given 24 hour period. It will also give you an idea of your IP address's existence in the popular Blacklists.

If you are sending large volumes of e-mail you will know from your status at Sender Base. What can you do, well first use something like AVG to scan your system and remove any viruses, etc. Note if you have more than one computer behind your public IP address, you will need to clean each machine. You may also want to run a packet sniffer on your network to determine which machine(s) is sending the SPAM. This will give you a clue as to who is infected. 

So the next time you complain about the SPAM in your inbox, think about where it came from, it could very well be you!

Share This Article With Your Friends!