WeekEnd Feature:
Cue me a Reggae beat!

by Ian Thompson, CCSP Staff Editor
May 22, 2004

“We're spamming
I wanna spam it with you,
We're spamming, spamming
And I hope you like spamming too

”Ain't no rules, ain't no vow, we can do it anyhow
I and I will see you through,
'Cos every day we pay the price with a little sacrifice
Spamming ‘cos the spam gets through.”
Etc…

Thus spake the Lord, and verily all the spammers of the world did listen and obey - especially the bit about no rules. Even though Bob never meant it this way…

And the people bowed and prayed to a neon god they made…
Okay, so I’ll stop with the song lyrics, otherwise people might get mad with me in a legal sense…

However, the problem of spam is getting worse, not better since all those new-fangled laws about preventing it have been set up. You see, a law doesn’t actually stop anything; it just makes a framework for punishing the people who get caught breaking it.

‘Getting caught’ is the issue here. Because investigation and so on requires time and effort, the success rate in catching spammers is low and won’t really climb higher unless they all start to become seriously stupid in the way they hide their identity.

It’s a bit like a recent piece of local legal nonsense passed in my fair city. Local bylaws were never the most sensible, but the Council recently decreed that there would be a £50 fine for anyone dropping a cigarette butt. How are they going to police this one? It’s not as if there are even any wardens out enforcing the £200 penalty for letting your dog poop all over the place… Possibly the only way they could get anyone is if CCTV spot a driver chucking something out of their vehicle, which could give a number plate to trace.

Holes in this argument? Ciggy butts are tiny and CCTV ain’t that clear; estimates are something of the order of 15% of all vehicles hereabouts are not registered to their current ‘keepers’ (to avoid tax, insurance etc); the courts are already too busy dealing with pensioners who cannot afford to pay their local council tax; prisons are too full because those who speed or don’t get their parking tickets paid in time are going there (whilst burglars, muggers and the rest are going free).

Anyone spot a point leaving this article a while back?
Okay, so I got a bit sidetracked there. However, if legislation isn’t working (though it may be too early to tell this right now), what else can be done?

Of all my email accounts with my various providers, I only use spam filtering on two. My ISP provides the first, which intervenes at the server and puts things into a ‘Bulk’ mailbox. These filters are supposed to learn from their mistakes in accordance with my (seemingly continuous) corrections to its initial choices.

However, two senders always get filtered as spam. One is the regular newsletter from the makers of the excellent SwiSH animation software, a low cost, highly capable Flash imitator. No matter what I tell the filters, they always get binned. The other is a friend down in Plymouth, who has used several ISPs over the years, but seems to have fallen foul of this ‘improvement’ since he switched to Tesco.net, a superstore spinoff.

I know that there are blacklists and so on – usually these are correct – but for some reason my ISP email service seems to think that these two are permanently suspect and refuses to heed my advice that they are not spam. I’m getting tired of moving them from one mailbox to another. So, after hoping that the system would learn, I’ve just told them to use a different account… To rub salt into the wound, so to speak, this account never receives any real spam of any kind.

SpamPal
The other account is one that has been active since the world wide web was still in short pants – over a decade now, still going strong. The reason that I filter this one is because it’s the only one on which any true spam arrives. It’s the addy I use for all forum work, for all newsgroup stuff (even though I munge it to foil the harvestbots) and is the only one I have ever declared on any web sites I’ve had any hand in. As such, this address is probably on every spammers list by now. Now aside from never reading or replying to any of these (you know about the ‘Remove Scam’ don’t you?), there are a few other things I try on occasion.

I use a neat utility called SpamPal. This is a Freeware filter that sits between your email reader software and your ISP (it can’t do webmail accounts, but pretty much everything else is okay). You effectively change the connection to insert SpamPal into the chain so that your reader requests the mail from SpamPal, and that in turn goes to your ISP on your behalf. So, it’s a tiny bit more fiddly to set up than most of the commercial stuff, but the website contains instructions for a multitude of reader software and in reality the process takes no longer than five minutes.

SpamPal then checks the email against any number of known lists of spammers. This includes the ability to blanket ban email from particular countries and ISPs, or if the message has come via known spam relays and open servers, or even if it uses known exploits within the message. Personally, I use the Spamhaus SBL + XBL, Composite Blocking List, ORDB, DSBL, SpamRBL and Blitzed lists, plus a few country-specific blocks. It generally increases the time to download the emails on this account by about 200% whilst all these lists are checked. After checking, each email header contains the results of the process, plus the pass/fail scores – quite interesting to see how even legitimate stuff that gets through is also assessed.

What makes SpamPal even cleverer is the expansion options that are available, developed by a dedicated team of users. There are loads to try, including ones to analyse any email or web address within the message body (as opposed to just the header), but some rest firmly in the ‘experimental’ camp and could chuck many legitimate emails away by mistake. Plus, if I fancy a delve into the seedy world of dodgy drugs, hot software and ‘personal services’, I can quickly check the Delete bin to make sure it really should be gone.

If a message is found to be spam, the subject line is altered to include a codeword (like ***SPAM***), and all that’s left is to create a mail rule to automatically move anything with this into the Delete bin (plus set that to empty on exiting the reader). Result? 99% of all spam is now blocked. Of all the email I get on that old account, I can only recall seeing a handful of real spam items get through.

And nothing has been flagged in error. SpamPal is actually a lot better than my ISPs filter.

rDNS – SamSpade, CentralOps and the rest.
The other day a message sat in my Delete bin, duly tagged, but without the usually ‘instant bin’ features that I would normally look for. Whenever I want to check out a message like this, I never open it. Instead, I check the message properties, and then choose the option to read the source. This prevents any HTML code or suchlike form actually being run. BTW, you have disabled the Preview/Read pane, haven’t you? No? Well do so, to prevent the message from being automatically opened and run on selection. Simply opening a HTML message can be enough to let the sender know you are a ‘live one’ – cue more spam – or worse, like downloading malware of all sorts. As a rule, I always use plain text for email…

I read the message, apparently thanking me for ordering an IBM laptop valued at £1099, etc. It was clearly spam – the sender had used a block of addresses hidden in the headers that simply listed me among others back at a place I used to frequent all those years ago. I don’t know what set me off on this more than any other message, but I decided to give it ‘the works’ and dig a bit more.

I use a combination of SamSpade and CentralOps Domain Dossier (not dodgy in any way) to dig for the owner and system information. Or at least those parts that were declared when registering the domain name, for example. SamSpade can parse the email headers, plus give me various options to check each step out, including the validity of any servers used on the journey between here and there. CentralOps gives me very comprehensive information about the owner, provider and the rest.

So now I know that someone (named) residing in part of Nottingham, UK, registered the domain from which this message originated with Verio on 18 May 2004, in the name of an electronics company in London. I have a contact number (mobile – it looks like a pay-as-you-go dial prefix, non-contract job and could be hard to trace), a valid address that checks out against the UK electoral role, and a couple of email addresses – the Hotmail one that is being used as a return address (as usual), plus a personal one on Yahoo.co.uk that seems to be correct. Copies to the various relevant ‘abuse@’ addresses should sort things out. Maybe Nottingham’s Trading Standards guys could pay a visit too?

The point of this is: if I can find out so much in 10 minutes about someone who (apparently) is sending spam that seems to be an attempt to defraud individuals, maybe there will soon be a raft of news stories reporting how spammers are now being brought to book under the new laws? Nah – too many cig butt droppers to fine.

“We're spamming; To think that spamming was a thing of the past; We're spamming, spamming; And I know that spam is gonna last” Sorry Bob…

cheers, Ian

by Ian Thompson ComputerCops Staff Editor

Ian Thompson is a Network Manager of a 500-PC, 9-server, 1700-user school network and is an ICT teacher at a UK high school near the city of Leeds. He has written articles for the Hutchinson Encyclopedia, plus many resources in support of teaching ICT in the UK schools' National Curriculum.

Copyright © Ian Thompson All Rights Reserved 2004.