Who's really the sender?

[Clora]

I'm new at trying to decipher the mechanics of spam so if my questions seem silly, you'll need to forgive me.

Obviously, all the spam I receive is being sent directly to my email address. However, sometimes in the body of the message (under the subject line) the sender is identified but the recipient cited is not my email address...it's the address of what I call "a phantom third party". If I view the complete header there's no listing of my email address anywhere. What I do see is a myriad of email addresses, as if I'd received some sort of "chain mail" that's been re-routed around the globe (which it most likely is).

So I have a few quick, related questions...and again, forgive me for sounding like a frenzied 3-year old.

Where does email like that come from? Who is the original spammer? Is the sender an actual person, a "career spammer" on someone's payroll? Or is the sender a bogus alias being used by an electronic spamming device? And who is that "phantom third party"?

Not that any of my questions really matter because spam is spam and it's all garbage (lol). I'm just curious.

[petzl]

Options in sending email fields are

To: (Visible to recipient)

CC: (Carbon Copy, Visible to recipients)

BCC: (Blind Carbon Copy, *NOT* visible to recipients)

[Miss Betsy]

Where does email like that come from? Who is the original spammer? Is the sender an actual person, a "career spammer" on someone's payroll? Or is the sender a bogus alias being used by an electronic spamming device? And who is that "phantom third party"?

The only way one can tell where an email comes from is the IP address (in the glossary) of the computer that sent it. If it is an email server that serves a lot of customers, only the server admin of that IP address can identify which customer sent it. A great deal of spam is sent via botnets - computers where the actual owner has allowed infection by a trojan/virus to install a spam sending program. I am not entirely clear how they work, but still an actual person programs and initiates spam runs.

All spam is originated by an actual person. Most of them are sleazy characters; some are actual criminals (the phishing emails trying to get your bank account number or identification and credit card number - phish is probably also in the glossary). A few are irresponsible or ignorant people who do not use best practices for their mailing lists.

The sending name (in the FROM) is probably a name from the mailing list. Spammers use names and email addresses from their mailing lists to put in the FROM and return path. At some point in time you will get a bunch of out of office replies and non-delivery notices from server admins who do not reject email at the server, but screen it after acceptance and then return it or ignorant people who use the bogus bounces found in Mailwasher and other software. The reason is that the spammer has used your email address in the return path which is easily forged, unlike the receiving IP address. (Misdirected bounces in the glossary)

Some spammers have been identified - there is a list on spamhaus - I can't remember the acronym right now and don't feel like searching for it. I think it is ROSKO (Roster of Spammers Known to Operate? or maybe ROKSO - Roster of Known Spammer Operators?). There is a spammer advertising spamwares on YouTube - a recent topic on this forum - probably in the Lounge.

If you have questions about spam, you can either find the answer here in the FAQ or in the Spamcop wiki or a link to another anti-spam site. Lots of people, like me, can't find the answers to specific questions easily in FAQ. Lots of the articles are very technical (or were written by techies so that they don't make sense to non-technically fluent people). However, if you browse through them, and ask questions in the Lounge area, someone will help you to understand. It took me dozens of exchanges to understand the sequence of events of how an email is accepted or rejected. The most knowledgeable and helpful person is Wazoo. Don't be put off by his bluntness. Email is like automobiles. You don't have to be a mechanic to understand the concepts of how a car works or how to use it safely.

Miss Betsy

[Clora]

Options in sending email fields are

To: (Visible to recipient)

CC: (Carbon Copy, Visible to recipients)

BCC: (Blind Carbon Copy, *NOT* visible to recipients)

This, I already knew...and it doesn't really answer the questions I have...but thank you for posting a reply.

....If you have questions about spam, you can either find the answer here in the FAQ or in the Spamcop wiki or a link to another anti-spam site. Lots of people, like me, can't find the answers to specific questions easily in FAQ. Lots of the articles are very technical (or were written by techies so that they don't make sense to non-technically fluent people). However, if you browse through them, and ask questions in the Lounge area, someone will help you to understand. It took me dozens of exchanges to understand the sequence of events of how an email is accepted or rejected. The most knowledgeable and helpful person is Wazoo. Don't be put off by his bluntness. Email is like automobiles. You don't have to be a mechanic to understand the concepts of how a car works or how to use it safely.

That helped me quite a bit, and your suggestions will help me even more. It's alot to assimilate, but I'd like a better understanding of the mechanics behind what I'm trying to help prevent. Thank you.

[rconner]

Where does email like that come from? Who is the original spammer? Is the sender an actual person, a "career spammer" on someone's payroll? Or is the sender a bogus alias being used by an electronic spamming device? And who is that "phantom third party"?

The return address you see in any e-mail message is like the return address on front of a piece of postal mail -- the sender can write in anything he likes and it will not prevent the delivery of the mail. The same actually also applies to the to-address in e-mail; the spammer can specify the recipient elsewhere in the transaction, and the to-address you see is simply not used for this purpose.

We can generally always tell what MACHINE the message has come from; without getting to far into it, this information is buried deep inside parts of the message that you don't see. SpamCop users work very hard to report spam back to the operators of these addresses.

We have a harder time telling what PERSON the message has come from, since these folks have developed shockingly intrusive and elaborate ruses for hiding their activity.

-- rick

[Clora]

We have a harder time telling what PERSON the message has come from, since these folks have developed shockingly intrusive and elaborate ruses for hiding their activity.

Thank you. I realize it's virtually impossible to trace the source of spam with the information provided in the headers. So basically it comes down to IP addresses and/or other cyber fingerprints that are above and beyond me. I've noticed in SpamCop reports that IPs can be the same for a number of different senders. I suppose that's what you mean by plugging in any email address for a sender. I'm also noticing that the same names, and variations of those names, keep popping up over and over again as senders (ie: Jennifer, James, Betty, etc.) most likely because they're as common and generic as you can get. There just doesn't seem to be any end to these useless and annoying emails. :angry:

Yahoo is awful with regard to spam prevention. All you can do is individually add addresses to a "block" list that's capped at 500 (and believe me, I could fill that in a week) and create filters to redirect spam to folders other than your inbox. Hotmail is much better. I get virtually no spam there. Some friends who have Earthlink won't accept any emails from unknown senders unless they've first applied for acceptance and been granted permission. I've written to Yahoo several times over the past 2 years about implementing such a feature and their answer is always "it's in the developmental stages."

*sigh*

[rconner]

So basically it comes down to IP addresses and/or other cyber fingerprints that are above and beyond me.

Pretty much. One of the first lessons the spam investigator learns is not to waste time on any e-mail addresses he finds.

I've noticed in SpamCop reports that IPs can be the same for a number of different senders. I suppose that's what you mean by plugging in any email address for a sender. I'm also noticing that the same names, and variations of those names, keep popping up over and over again as senders.

I wonder whether you are confusing "IP address" with "e-mail address." The former is a number (e.g., 12.34.56.78) and generally belongs to a MACHINE. The latter is a text string with an "[at]" in the middle, and generally belongs to a PERSON. When we analyze a spam message, certain of the IP addresses that appear there are known to be reliable, and this is how SpamCop finds the source and generates reports. The e-mail address (e.g., "abuse at somewhere.foo") you see as the recipients of your report simply belong to people who control that address. They are not usually the spammers, and are often in fact fellow-victims (since their resources may have stolen for use in crime).

Yahoo is awful with regard to spam prevention. All you can do is individually add addresses to a "block" list that's capped at 500 (and believe me, I could fill that in a week) and create filters to redirect spam to folders other than your inbox.

I would gently suggest that trying to block spam based on its from-addresses is pointless, because as you now know, spammers simply steal or make up these addresses, and do not reuse them consistently (if at all). Most providers have moved on to other filtering techniques (some involving IP addresses as I mentioned above).

Some friends who have Earthlink won't accept any emails from unknown senders unless they've first applied for acceptance and been granted permission. I've written to Yahoo several times over the past 2 years about implementing such a feature and their answer is always "it's in the developmental stages."

Some of us might hope that it will NEVER leave the development stages. This sort of thing is known as a "challenge/response filter." and while it does reject most spam, it can also reject honest mail (if the sender doesn't want to take the challenge), and when it challenges spam mail, the challenges are invariably sent to innocent parties. See this page, and scroll about halfway down for a discussion.

-- rick

[rconner]

I realize it's virtually impossible to trace the source of spam with the information provided in the headers.

I forgot to respond to this above.

Actually, the truth of this statement depends upon what you mean by "source" and "header." Services like SpamCop can accurately determine the machine (actually the IP address) responsible for having sent the message, and this address is what SC calls the "source." The information used for this does indeed come from the header, but a part of the header that is normally hidden from end-users. You can see these headers for yourself if you wish, but I wouldn't try it on an empty stomach.

I think that by "source" you mean the person who was responsible for launching the message. Finding these people is very hard, and quickly moves beyond the purely technical sphere into "real-world" police work.

-- rick

[turetzsr]

Options in sending email fields are

To: (Visible to recipient)

CC: (Carbon Copy, Visible to recipients)

BCC: (Blind Carbon Copy, *NOT* visible to recipients)

This, I already knew...and it doesn't really answer the questions I have

<snip>

...But it is an answer to this statement of yours, which petzl may either have taken to be an implied question or may have posted for the benefit of future readers of this Forum thread who don't already know the answer <g>:

<snip>

If I view the complete header there's no listing of my email address anywhere.

<snip>

[Miss Betsy]

Thank you. I realize it's virtually impossible to trace the source of spam with the information provided in the headers. So basically it comes down to IP addresses and/or other cyber fingerprints that are above and beyond me. I've noticed in SpamCop reports that IPs can be the same for a number of different senders. I suppose that's what you mean by plugging in any email address for a sender. I'm also noticing that the same names, and variations of those names, keep popping up over and over again as senders (ie: Jennifer, James, Betty, etc.) most likely because they're as common and generic as you can get. There just doesn't seem to be any end to these useless and annoying emails. :angry:

someone else has already pointed out that IP Addresses belong to the computer and email addresses belong to the person. When different names appear on the spam email (which you have guessed are pretty generic because the spammers hope someone will open them thinking it comes from the Jennifer, James, Betty that s/he knows), yet the IP address is the same, it probably is the same spammer sending them. What I was saying is that if it comes from an internet service provider with lots of customers, then one spammer can get the IP listed and the other customers who have not been spamming will also have their email blocked or tagged as spam (depending on the server admin who uses the blocklist uses it) because they share the same IP. It doesn't happen as often nowadays because most server admins are very careful to prevent spammers from using their email computers. A very large proportion of spam comes from compromised computers where the owners don't know the computer is infected (just think it's slow now and then) and the spam is not sent through a legitimate email computer.

Yahoo is awful with regard to spam prevention. All you can do is individually add addresses to a "block" list that's capped at 500 (and believe me, I could fill that in a week) and create filters to redirect spam to folders other than your inbox. Hotmail is much better. I get virtually no spam there. Some friends who have Earthlink won't accept any emails from unknown senders unless they've first applied for acceptance and been granted permission. I've written to Yahoo several times over the past 2 years about implementing such a feature and their answer is always "it's in the developmental stages."*sigh*

I have very good luck with yahoo in regards to catching spam. They are just as good as hotmail in my experience (extremely spammy mail is forwarded to both a yahoo account and a hotmail account and almost none of it gets through - not even to the junk mail folder). Are you sure that you have your spam filter turned on? Both hotmail and yahoo, however, catch legitimate email also which annoys me more than getting the spam because there is no way to know why.

Someone has already told you that Earthlink's challenge/response is NOT the answer. In addition, I once had occasion to email someone with an earthlink account several times a day. It often took hours for him to get an email.

If you don't mind changing email addresses, that keeps the spam down considerably. I have several accounts where I have turned off spam filtering and rarely get spam on any of them. However, I am extremely careful about giving out my email address. Usually, whenever they get spam, it is because the address has been harvested from a correspondent who has gotten a virus. If you don't want to be careful, then use the old spammy email address for any time you give out your email address and only use the new one for those people or businesses that you trust.

Miss Betsy

[Clora]

Sorry, I hadn't had the chance to check this thread for more responses until now.

...I wonder whether you are confusing "IP address" with "e-mail address."....

I would gently suggest that trying to block spam based on its from-addresses is pointless, because as you now know, spammers simply steal or make up these addresses, and do not reuse them consistently (if at all)....

Most providers have moved on to other filtering techniques (some involving IP addresses as I mentioned above).

Some of us might hope that it will NEVER leave the development stages. This sort of thing is known as a "challenge/response filter." and while it does reject most spam, it can also reject honest mail....

I do know there's a difference between "IP address" and "email address", but in re-reading my original post I realize I wasn't too clear. I was referring to the "person" identified as the sender (the email address it was sent from), not the computer...but your response managed to address my thought even though it was unclear.

I also know blocking these addresses is pointless because they don't seem to ever come from the same email address. I just found it interesting that the same names and/or combinations of those names are used repeatedly. On that basis alone it's pretty easy for me to determine which emails are spam and which aren't.

I do use filters...but as you've said, filters will sometimes "think" a legitimate email is spam. For that reason I don't have my spam folder set to automatically delete itself before I get a chance to go through it. I like the idea of having unidentified emails returned automatically with a message asking that the sender state who they are so I can decide whether or not to add them to my contact list. I think that spammers would not take the time to respond and, hopefully, I'd be removed from their mailing list. On the other hand, anyone sending me a legitimate email would take the time to respond...and once I've added them as contacts their emails would always get through.

Thanks, Rick. And by the way...now that I'm learning more about all this, I should be much more "clear" as to what I mean in future posts. (At least I'm hoping that to be the case. We'll see, I guess.)

[Clora]

This, I already knew...and it doesn't really answer the questions I have

<snip>...But it is an answer to this statement of yours, which petzl may either have taken to be an implied question or may have posted for the benefit of future readers of this Forum thread who don't already know the answer <g>:

I think you may have misinterpreted my response to petzl. I'm sure I'm not the only one reading this thread and I understand the responses won't be for my benefit alone, but petzl didn't answer my question...and that was most likely because I didn't explain myself properly. I'm not very familiar with computer terminology (particularly with regard to"spam mechanics") so until I get a better understanding it will be difficult for me to be clear. I apologize for that and will try to be clearer. Eventually I will figure it all out because everyone here is helping me a great deal.

But back to the question petzl tried to answer for me...I originally wanted to post an example of what I was talking about. I didn't because the example contained email addresses. Even though they were addresses of spammers, I wasn't sure it would be appropriate to re-post them...so I just tried to explain myself to the best of my ability. However, I think the only way to be clear is to show you. I'd said: "...sometimes in the body of the message (under the subject line) the sender is identified but the recipient cited is not my email address...it's the address of what I call "a phantom third party" I was referring to emails like this one (copied from a recent spam email I've received):

Date: Sun, 3 Aug 2008 17:25:25 +0800 (SGT)

From: Barrister Tom James <onomeqwe6[at]singnet.com.sg>

Reply-To: barrister_felox0[at]yahoo.co.uk

In the above example, the "To:" is not my email address. When it appeared in my inbox I'm the designated recipient...yet in the email itself I'm not named as the recipient. Whoever that "To:" address belongs to is the "phantom third party". I get many spam emails like this one so I'm curious "who" that phantom third party is and it's connection to the piece of spam. (Not this one specifically, but whoever "To:" is if it isn't me.)

[Clora]

....I have very good luck with yahoo in regards to catching spam. They are just as good as hotmail in my experience (extremely spammy mail is forwarded to both a yahoo account and a hotmail account and almost none of it gets through - not even to the junk mail folder). Are you sure that you have your spam filter turned on? Both hotmail and yahoo, however, catch legitimate email also which annoys me more than getting the spam because there is no way to know why.

Someone has already told you that Earthlink's challenge/response is NOT the answer. In addition, I once had occasion to email someone with an earthlink account several times a day. It often took hours for him to get an email.

If you don't mind changing email addresses, that keeps the spam down considerably. I have several accounts where I have turned off spam filtering and rarely get spam on any of them. However, I am extremely careful about giving out my email address. Usually, whenever they get spam, it is because the address has been harvested from a correspondent who has gotten a virus. If you don't want to be careful, then use the old spammy email address for any time you give out your email address and only use the new one for those people or businesses that you trust.

Yahoo is very good at catching spam...but I don't think it's as good at preventing spam as other servers may be. Of course there's no way to prevent spam completely so I'm not looking for a "miracle solution" from anyone. It was merely an observation. I cited "Earthlink" because it's the only one I've encountered so far that seems to have spam prevention measures...but I did not know that it can take hours for legitimate emails to get through them. The few times I've needed to apply for acceptance were for emails that didn't need to be received and responded to quickly. Thank you for pointing that out.

Actually, I hadn't thought about changing my email address. I have several accounts with hotmail and yahoo. My "real" one is an address reserved for family and friends. I also have one for "business" and a handful of "disposable addresses" that I use for forums and shopping online. Of course the disposable addresses receive tons of spam (as that's one of their purposes) but a large amount of spam reaches my protected email addresses as well. I think I will change my primary email address. It would definitely help. It would also be interesting to see how long it takes for spammers to catch up with me.

[Farelf]

...But back to the question petzl tried to answer for me...I originally wanted to post an example of what I was talking about. I didn't because the example contained email addresses. Even though they were addresses of spammers, I wasn't sure it would be appropriate to re-post them...so I just tried to explain myself to the best of my ability. However, I think the only way to be clear is to show you. I'd said: "...sometimes in the body of the message (under the subject line) the sender is identified but the recipient cited is not my email address...it's the address of what I call "a phantom third party" I was referring to emails like this one (copied from a recent spam email I've received):

Date: Sun, 3 Aug 2008 17:25:25 +0800 (SGT)

From: Barrister Tom James <onomeqwe6[at]singnet.com.sg>

Reply-To: barrister_felox0[at]yahoo.co.uk

In the above example, the "To:" is not my email address. When it appeared in my inbox I'm the designated recipient...yet in the email itself I'm not named as the recipient. Whoever that "To:" address belongs to is the "phantom third party". I get many spam emails like this one so I'm curious "who" that phantom third party is and it's connection to the piece of spam. (Not this one specifically, but whoever "To:" is if it isn't me.)

The "To:" address is usually some lucky person/persons on the spammer's list - the other recipients can be copy addressees (also from the list) or blind carbon copy (bcc) addressees (also from the list) and the latter are not visible in the received headers (which is how come you don't see your address in such cases).

If you want to learn more about this stuff and post useful examples for discussion, you should register as a reporter and post the tracking urls. Above, you are discussing the "To:" address without showing it. That will often/usually make things difficult.

[Miss Betsy]

Yahoo is very good at catching spam...but I don't think it's as good at preventing spam as other servers may be. Of course there's no way to prevent spam completely so I'm not looking for a "miracle solution" from anyone. <snip>

There are no servers that are good at preventing spam. The only way to prevent spam is to not allow spammers access to computers. Since much spam, nowadays, is criminal in nature, the spammers will try to evade any measures designed to prevent them from connecting to the internet - including using bribes and stealing the resources of innocent people (the zombie and botnets).

Actually, I hadn't thought about changing my email address.

If you do, use an alphanumeric one, C10ra, for instance. It helps to prevent the dictionary spammers from guessing an email address.

I have several accounts with hotmail and yahoo. My "real" one is an address reserved for family and friends. I also have one for "business" and a handful of "disposable addresses" that I use for forums and shopping online. Of course the disposable addresses receive tons of spam (as that's one of their purposes)

That's good practice. What I don't understand is your receiving 'tons' of spam at your hotmail and yahoo addresses. I have junk mail filtering turned off in both yahoo and hotmail accounts and the most I receive in a day is 4 or 5 (but not every day) in the one that has been the most exposed. In another account that once was published on the web, but is no longer, there are only about 10 spam a day. This latter account is with an ISP that does not filter aggressively as hotmail and yahoo do. About 1/3 are marked "Possible spam") When I think 'tons' of spam, I think 70 or 100 per day (which I once had on an account that I abandoned)<snip>

I think I will change my primary email address. It would definitely help. It would also be interesting to see how long it takes for spammers to catch up with me.

You don't have to change email service providers in order to change email addresses. And it will depend on how careful your family and friends are how long you are spam free. I went months with no spam until someone got a virus (that was back in the days before ISPs filtered viruses out). Soon after I got the virus stopped, I got the first spam. If someone in your family or friends is addicted to FW:FW: to an address book all those neat sayings and stories and jokes and uses the cc and not the bcc, your email address is probably in hundreds of computers. One of them gets infected and the spammer has your email address.

To respond to a statement from another post: challenge/response has several things against it from a 'spam mechanic' viewpoint (which if you are interested in learning 'spam mechanics' you will discover). If you want to filter out any but correspondents you want, then just block all but those on your whitelist. If you have a new correspondent, then whitelist him when you give him your email address.

The aim of 'spam mechanics' is to have an inbox to which all legitimate email goes and a junk mailbox where all the spam goes. petzl achieves this with his spamcop email account by a judicious tweaking of the filters and whitelists. It is better to have a few spam hit the legitimate inbox occasionally, than to have any false positives in the junk mail folder. One should never have to look at spam! And, it is difficult to find 'real' mail.

Miss Betsy

[rconner]

I like the idea of having unidentified emails returned automatically with a message asking that the sender state who they are so I can decide whether or not to add them to my contact list. I think that spammers would not take the time to respond and, hopefully, I'd be removed from their mailing list. On the other hand, anyone sending me a legitimate email would take the time to respond...and once I've added them as contacts their emails would always get through.

I like this idea, too. Unfortunately, it is horribly abusive to strangers.

As you now know, spam messages virtually always contain stolen or fake e-mail addresses in the From: field. If you "return automatically" back to these addresses, you will be mailing things to people who do not know you, did not contact you, and did not send you any spam. This will happen virtually every time you receive a spam message. Meanwhile, the spammer responsible for the mess will never see your bounces at all, because (of course) he hasn't provided a suitable return address.

About 2-3 times a year, my e-mail address is "borrowed" by spammers to put into their mailings, and each time this happens I get anywhere from dozens to hundreds of misdirected bounces over the course a week or so. Probably these bounces include quite a few of the challenge messages you are talking about, but I can't tell because I don't have time to read them all. I bundle them all up and report them through SpamCop. So, if you should someday use one of these filters, don't be surprised if you wind up on the wrong end of a spam complaint.

I cited "Earthlink" because it's the only one I've encountered so far that seems to have spam prevention measures...

Earthlink cannot prevent spam any more than anyone else. At best, they can block it. In order to prevent spam, you need to be on hand with a policeman when the spammer is actually doing it. And, if Earthlink is using C/R filtering, then they are actually DOUBLING the load of unwanted e-mail, because they send out a pointless challenge message for every spam mail they receive. Many of those bogus challenges wind up in the inboxes of people like you and me.

-- rick

[rconner]

I was referring to emails like this one (copied from a recent spam email I've received):

Date: Sun, 3 Aug 2008 17:25:25 +0800 (SGT)

From: Barrister Tom James <onomeqwe6[at]singnet.com.sg>

Reply-To: barrister_felox0[at]yahoo.co.uk

In the above example, the "To:" is not my email address. When it appeared in my inbox I'm the designated recipient...yet in the email itself I'm not named as the recipient. Whoever that "To:" address belongs to is the "phantom third party". I get many spam emails like this one so I'm curious "who" that phantom third party is and it's connection to the piece of spam. (Not this one specifically, but whoever "To:" is if it isn't me.)

You haven't shown the "To:" field, you showed the "Reply-To:" field. The Reply-To is simply an alternative return address. In other words, the message "came from" singnet.com.sg (or so we are supposed to think), but he is requesting replies to be directed to yahoo.co.uk. This looks like a 419 or advance-fee-fraud mailing, the sort that frequently does include a valid return address (because the con-man depends upon return e-mail in order to identify and hook his targets).

In all other types of spam (e.g., drugs, watches, diplomas), it is usually a complete waste of time to pay any attention to e-mail addresses found in spam messages. Trying to find meaning in these makes about as much sense as trying to identify people by looking at the names printed on their clothing. You will very quickly conclude that half the population is named either Levi Strauss or Tommy Hilfiger or Big Dog.

-- rick