Learning To Track Spam Headers

[JoeCirrius]

Greetings, (This is my first post and I hope it is in the right area)

I am learning to track down spam sources in headers and find it fascinating. I do my own analysis by opening an email with notepad. I submit it to spam cop and then compare the results to my own work with Sam spade.

This has made a lot of sense up until the mail-hosts concept that I read about recently. I would appreciate someone helping me here.

I gather that my isp/mail provider has a variety of mail servers that process the incoming mail on its way to me from the outside world (the Internet). These servers (hosts) would be an IntraNet on my ISP/email provider's turf. If I understand correctly, spam cop will create a LIST of these hosts/servers and consider any header showing these names to be legitimate. I believe this is called an MX Lookup? Ok so far?

Now... as soon as mail handling (in the header listing) get OUSIDE of the list of familiar Host/servers (mx list) and now lists an UNLISTED sending server/host it is POSSIBLE that this is the Open Relay (spam source). Ok so far?

If traditional analysis, looking for a 1) Forged Hdeader - servername that does not match the Ipaddress or 2) a known Open Relay from a DNSBL does not show anything unusual... then the first server ouside of my mail-hosts is the Open Relay that was exploited? Ok so far?

Finally, I saw this progam that is supposed to allow you to send mail to your friends without any configuration knowledge. The creator claims that it ACTS as a mail server and sends your mail without routing directly to the ADRESSED PERSON via a DNS lookup of the domain in their address. Is this how the new spam mailers are sending mail? BTW, the program did NOT work. I tried it for fun and to learn. But is this the new source of this problem? Spammers who have programs like this that DO work?

Thanks for your help...

Joe

[StevenUnderwood]

    Now... as soon as mail handling (in the header listing) get OUSIDE of the list of familiar Host/servers  (mx list) and now lists an UNLISTED sending server/host  it is POSSIBLE that this is the Open Relay (spam source).   Ok so far?

    If traditional analysis,  looking for a  1) Forged Hdeader - servername that does not match the Ipaddress   or   2) a known Open Relay from a DNSBL   does not show anything unusual... then the first server ouside of my mail-hosts is the Open Relay that was exploited?  Ok so far? 

With mailhosts, spamcop will almost always report the server that connected to your legitimate server. Any server before there should not be handling your messages unless they are the source. There are a few exceptions where mail forwarders are set to be "trusted" in the spamcop database and the parse will continue. Basically, spamcop is looking for who placed the message into your stream.

[Wazoo]

Now... as soon as mail handling (in the header listing) get OUSIDE of the list of familiar Host/servers  (mx list) and now lists an UNLISTED sending server/host  it is POSSIBLE that this is the Open Relay (spam source). Ok so far?

    If traditional analysis,  looking for a  1) Forged Hdeader - servername that does not match the Ipaddress or 2) a known Open Relay from a DNSBL does not show anything unusual... then the first server ouside of my mail-hosts is the Open Relay that was exploited?  Ok so far?

The SpamCop parser does what is called a "chain test", attempting to follow the connection from one server to the next. It's at the point of failure to connect the dots that the decision is attempted at working out which server allowed the injection of the e-mail. It might be the first server outside your ISP, it could be a dozen servers away.

Finally,  I saw this progam that is supposed to allow you to send mail to your friends without any configuration knowledge.

In all fairness, just about any legitimate software I'm aware of requires some configuration, if nothing more than inserting your name into a refistration screen. An e-mail server should require a number of data items to be tailored to your location.

The creator claims that it ACTS as a mail server and sends your mail without routing directly to the ADRESSED PERSON via a DNS lookup of the domain in their address. Is this how the new spam mailers are sending mail?

Technically, you can send e-mail this way yourself, connecting to the other e-mail server via TELNET and simply walking through the command list required to negotiate the handshaking required to deliver the text/data you provide. SMTP is a clearly defined protocol. So yes, some virus/trojan payloads are SMTP engines that do a direct-to-MX method of e-mail transfer, some act like more normal e-mail servers. The resilts of these are the compromised end-user machines that spew on end until the ISP eventually notices the traffic/complaints (or maybe the end-user finally decides to go get the computer fixed because it's running so slow)

The reason it may not have worked could have been that you were trying to send e-mail to an ISP that has various BLs in use, some of which ban incoming e-mail traffic from "dial-up space" which includes high-spedd cable stuff. Going back to most home users are not allowed to be running servers, so e-mail should not be seen coming from those IP addresses.

[JoeCirrius]

HI Wazoo,

Thanks for the reply.

The SpamCop parser does what is called a "chain test", attempting to follow the connection from one server to the next.  It's at the point of failure to connect the dots that the decision is attempted at working out which server allowed the injection of the e-mail.  It might be the first server outside your ISP, it could be a dozen servers away.

26702[/snapback]

OK... this makes perfect sense. For traditional spam source tracking (as we have done for years). But now in this new era when a spam mailer does NOT need to commandeer a server (because his own software acts as the mail server???) is this not different? In other words, when spam copy finds that there is NO: 1) Failure to connect the dots (IP's match server connection names so each chain is logical and verifiable) 2) There is No found Open Relay (No listing in spam cop or elsewhere) is this not where HOSTS/SERVERS are needed? In other words, as I understand it, spammers can now create perfect forgereries (because their mailing software simulates an on-line server rather than a client???) However, when we prove that the forgery is perfect, AND WE KNOW IT IS spam, then the new "chain test" is that the first Received From Outside my Host/Server list is the spam source. Is this correct? In other words if spam cop knows the spam Cop user's Hosts/Servers mx list where does this knowledge becomes of value in determining the mail source?

Thanks for your reply and patience with my novice level understanding,

Joe

[JoeCirrius]

HI Steven,

Thanks for your reply.

With mailhosts, spamcop will almost always report the server that connected to your legitimate server.  Any server before there should not be handling your messages unless they are the source.  There are a few exceptions where mail forwarders are set to be "trusted" in the spamcop database and the parse will continue. Basically, spamcop is looking for who placed the message into your stream.

26695[/snapback]

How can SpamCop determine which mail forwarder is "trusted?" Is this like a white list? If so is there access to it?

Joe

[Wazoo]

It was while working to parse the forgeries that the MailHost configuration came into play .. and that had the secondary effect of assisting in the prevention of self-reporting. Yes, this data is pumped into a database, yes, the Deputies have access to this database to adjust, reset, tweak some entries to try to work around some bad configurations, some bad user input, etc. ... even adding or changing bits on "trusted" servers ... nope, you can't play with it short of running your account through the process and possibly adding some more data ...

I an very hesitant about the phrase "first server outside your MailHost" ... not that it isn't correct, it's just that absolutes in this situation aren't a good thing The parser is just a tool and stuff happens. <g> A current forgery issue (though the actual problem seems to have been spamtrap hits rather than the poor forgeries) please see http://forum.spamcop.net/forums/index.php?showtopic=3991

[WisTex]

OK... this makes perfect sense. For traditional spam source tracking (as we have done for years).  But now in this new era when a spam mailer does NOT need to  commandeer a server (because his own software acts as the mail server???) is this not different?  In other words,  when spam copy finds that there is NO:  1) Failure to connect the dots (IP's match server connection names so each chain is logical and verifiable)   2) There is No found Open Relay (No listing in spam cop or elsewhere)   is this not where HOSTS/SERVERS are needed?   In other words, as I understand it,  spammers can now create perfect forgereries (because their mailing software simulates an on-line server rather than a client???)   However,  when we prove that the forgery is perfect,  AND WE KNOW IT IS spam,  then the new "chain test" is  that  the first Received From Outside my Host/Server list is the spam source.  Is this correct?   In other words if  spam cop knows the spam Cop user's  Hosts/Servers  mx list where does this knowledge becomes of value in determining the mail source?

26877[/snapback]

In most cases they cannot make perfect forgeries since most e-mail servers record the IP address of who is connecting in its received statement in the header. The IP address of the spammer will almost always be in the header because of this. Any forged headers could be tested, as Wazoo stated, to see if they are real. It could theoretically be possible to trick SpamCop.net into thinking a different server sent the e-mail, I suppose, but that would limit the spammer in what they could put in the header since the forged header entry would have to pass the tests, which means that their e-mails still could easily be tagged as spam since it couldn't vary much.

Programs that you describe that are both the client and the server can have legitimate purposes. There are many out there that are very good at sending mailing lists. The legitimate ones produce properly formatted headers and identify the IP address of the computer the program is running on. There is no option to change the headers in most of these programs. It is very easy for SpamCop.net to blacklist spammers who use the legitimate server/client mailers, since they are designed for legitimate e-mails and report the spammers IP in the header as the source.

Then there are tons of spam software as well, and many of them forge the headers to mask the source of the spam. SpamCop.net's tests can help determine where it is really coming from.