Tuesday, March 14, 2006

Everything You Should Know About SPAM. Part II

The Damage
Mailing doesn't cost anything for a spammer, but SPAM can cause serious damages for a receiver. SPAM makes the work of informational systems and resources difficult, as it creates useless loading. Moreover, Network users have to spend much time on filtration of useless advertisements. In order to avoid this, users need to install anti-SPAM filters which can also delete important e-mails recognizing them as a SPAM. SPAM can also be used as ‘black PR’ and to spread computer viruses.

How to Fight SPAM
Perhaps the most effective way to fight SPAM is not to let spammers know your e-mail address. This can be hard to perform but some precautionary measures can be taken.
• Do not show your e-mail address on web sites and in Usenet groups without necessity.
• Do not register on suspicious sites. If a useful site requires registration you can point a temporary e-mail address that you won’t use again.
• Never answer SPAM and never visit included links. If you do it you will confirm using this e-mail address and will receive more SPAM.

There is special software developed for automatic SPAM defining (the so-called SPAM filters). It is developed for both end users and server usage. This software works according to two main principles:
1. A letter’s content is analyzed and the conclusion is made whether the letter is SPAM or not. If the letter is classified as SPAM it can be marked, placed into other folder or deleted. Such software can work on both a server and client’s PC. Using this approach you will not see the filtered SPAM, but you will have some expenses, because anti-SPAM software receives every SPAM-letter (spending your money) and only then decides whether to show it or not.
2. The second principle is to detect the sender as a spammer without checking the content of the letter. This software can work only on the server that receives letters directly. This approach can lessen the costs as the money is spent only on communication with spammer mail programs (i.e. on the rejection of receiving letters) and addressing other servers (if required) during the check. But the profit will be not that big as you may expect. If a receiver refuses to receive a letter spammer programs try to avoid the protection and send letters in a different way. Every such attempt is to be repelled separately, which enlarges the load on the server.
The place of the installation of the anti-SPAM software (a end user’s PC or for example provider’s mail server) defines who will be responsible for the SPAM filtration expenses. If an end user filters SPAM he is responsible for expenses as he will receive all letters including SPAM. If the server filters SPAM, the user is not responsible for expenses because he receives only useful letters, and all the expenses are to be done by the server’s owner.

Black Lists
Black lists include IP-addresses of those computers which are known to spread SPAM. Lists of PCs which can be used for the mailing (‘open relays’ and ‘open proxies’), as well as ‘dialup’ lists are also available. One can use a local list or a list which is supported by somebody else. Those black lists the inquiry to which is performed via the DNS service are widely popular. They are called DNSBL (DNS Black List). Today this method is not very effective. Spammers find new PCs for their purposes faster than they are included into black lists. Besides, a couple of computers that send SPAM can compromise the whole mail domain and thousands of law-abiding users will not be able to send e-mails to those servers that use such black lists.

Mail Servers Authorization
There are many different ways to confirm that the PC that sends letters ‘has the right’ to do it (Sender ID, SPF, Caller ID, Yahoo DomainKeys). However, these technologies sometimes limit mail servers’ functionality:
• Forwarding letters automatically from one mail server to another (SMTP Forwarding) can be impossible.
• Providers follow such a policy, according to which clients can perform SMTP-connections with provider servers only. In this case mail servers’ authorization is impossible or hard to perform.

Grey Lists
The ‘grey lists’ method is based upon the fact that the software signed to send SPAM ‘behaves’ differently from common mail servers: spammer programs do not try to repeatedly send e-mails if a temporary error occurs, as it is required by SMTP protocol.
At first all unknown servers are placed to the grey list and letters from them are not received. The temporary error code is sent to the sender’s server, that is why common letters (not SPAM) are not lost, but the delivery of them is delayed (they stand in the line and are delivered with the next try). If the server acts as it is expected to, it is automatically placed to the white list and all next letters are received without any delays.
Due to this method up to 90% of SPAM is filtered without much risk to lose important letters. However, it is not perfect.
• Some letters that do not fulfill SMTP protocol requirement can be removed from servers by mistake.
• The delay with the delivery can be up to half an hour (and even more), which can be unacceptable in case with urgent correspondence.
• Big mail services use several servers with different IP-addresses. Moreover, there can be the situation when a number of servers try to send one and the same letter in turn. This can cause very long delays when sending letters.

Statistic Methods of SPAM Filtration
These methods use the statistic analysis of the letter’s content for making the decision whether it is a SPAM letter. The biggest success was achieved with the help of algorithms, based on Bayes theory. Statistic Methods of SPAM Filtration requires ‘teaching’ filters. It means using sorted manually letters in order to define the statistic peculiarities of common letters and SPAM. This method can remove up to 95-97% of SPAM.

Other Methods
• Common toughening of the requirements to letters, for example the refusal to accept letters with wrong sender address (letters from domains that do not exist), the examination of the domain name using IP-address of the computer from which the letter is sent, etc. These measures are in fact history and are not taking seriously today. They filter only the most primitive SPAM – very low percentage.
• “Call-Answer” types of systems, etc.

Everything You Should Know About SPAM. Part I

SPAM involves sending nearly identical messages (usually advertisements) to thousands of recipients.

Most Common Kinds of SPAM

Advertising is most common and popular among spammers. Some companies that provide legal business advertise their product or service using SPAM. Such advertising is relatively cheap and targets many potential customers. If the advertising delivery is properly organized, SPAM can increase the sales effectiveness without harming users.

Advertisements for Illegal Goods
Such products as pornography, small-lot production medicine, stolen information (e.g. database), etc. are often advertised with the help of SPAM.

‘Nigerian Letters’
SPAM is also used to swindle some money from the receiver. Such letters are called ‘Nigerian Letters’ due to their origin. They involve the following principle: the receiver is informed that he can get a big sum of money and the sender can help with it. Then the sender asks to give him some money for paper work, opening the account, etc. If the receiver gives this money he will never hear a word from the sender again.

Phishing is the spammer’s attempt to swindle the recipient’s credit card numbers or passwords for access to his online payments. These letters are usually masked as an official notification from the bank administration. They ‘inform’ the receiver that he must confirm his personal data; otherwise his account will be blocked. A site address (which belongs to spammers) and the form that is to be filled are included.

Other Kinds of SPAM
• Delivery of religious letters;
• Mass mailing in order to knock-out mailing system (denial of service)
• Mass mailing on behalf of another person with the aim to give rise to negative attitude to this person.
• Mass mailing of computer viruses (for their initial spreading)

There are two types of Mass mailing that are not considered SPAM because they are not deliberate. However, they cause the same (if not more serious) problems for network administrators and final users.
• Computer viruses of definite type (mail worms) are spread with e-mails. When such a worm infects a PC, it searches e-mail addresses and sends itself to these addresses.
• Mail worms put accidental e-mail addresses (from those found on the infected PC) in the field ‘From’. Badly tunned antivirus programs on other PCs send notification about a found virus to this address. As a result lots of people receive notification that they spread viruses, but in reality they do not.

Ways of Spreading SPAM
SPAM is spread mostly via e-mails. Today, the share of viruses and SPAM in the general e-mail traffic is about 85-95 percent.
Spammers pick up e-mails with the help of a special robot or manually (seldom), using web pages; conferences Usenet; lists of mailings; guest books; chats, etc. A program-robot is able to pick up thousands of addresses per hour and create a database for further SPAM mailing. Some companies send their clients e-mails to spammers. Another way to get a list of valid e-mail addresses is to generate a huge random list of e-mail addresses (from a thousand to million) according to the defined templates and then to check for their validity with a special validation program.
SPAM is sent from badly protected PCs, connected to the Internet. These can be:
• Servers that are mistakenly set in such a way that they permit free mail (open relay, open proxy);
• Web mail servers that permit anonym access or access with simple new users registration (which can be done by special program-robots);
• Computers-zombie. Some spammers use known vulnerabilities in software or computer viruses in order to control a great number of connected to the Internet computers and use them for mailing SPAM.
To avoid automatic SPAM filtration, the messages are often distorted – figures or Latin symbols are used instead of letters, spaces are added, etc.
Different tricks are used to be sure that the message is delivered and read by the recipient:
• Inquiry to confirm delivery. Some mail clients can send it automatically.
• Letters that include pictures downloading from the spammers controlled sites.
• Links to web pages that offer some additional information.
• The offer to refuse subscription for this mailing by sending an e-mail to the defined address.
If spammers receive notification that the e-mail is really used, the SPAM flood can increase enormously.

Many news groups Usenet (especially non-moderated) were abandoned by users and currently include advertisements mostly. Instead of them other moderated conferences were developed.

Instant messagers
The development of instant messaging delivery services, such as ICQ, AIM, etc. encouraged spammers to use them for their own purposes. The majority of these services offer lists of users, which can be used for mailing SPAM.

Blogs, Wikis
Today there are web sites that can be freely edited – blogs and wikis. For example, Wikipedia is developed using this technology. These pages are open for free editing, therefore they may contain SPAM.

SPAM can be spread not only via the Internet. Advertising messages that are sent to mobile phones with the help of SMS-messages are especially unpleasant as it is more difficult to protect from them. Moreover, sometimes the receiver has to pay for them. This can be a solid sum, especially if the receiver is in roaming.