Page One

Campus Computing News

New Software Available

Important Summer Reading

Free Virus Protection for Home PCs

Today's Cartoon

RSS Matters

SAS Corner

The Network Connection

Link of the Month

WWW@UNT.EDU

Short Courses

IRC News

Staff Activities

Subscribe to Benchmarks Online
    

Network Connection

By Dr. Philip Baczewski, Associate Director of Academic Computing

A New World of Spam*

Unsolicited E-mail seems to be more rampant than ever. I open my E-mailbox every day and find 5-10 unsolicited commercial E-mails (UCEs). The recurring themes urge me to reduce my personal debt, invest in stocks, use a miracle cure, or look at pictures of "beautiful" women. Occasionally, there is a more radical, outrageous, or downright offensive offer in the spam message. I have a very simple way to deal with spam. I delete it. I delete as soon as I recognize it as spam. Most of the time this means that I don't even read it, since the from address, to address, or subject gives it away.

In spite of blocking known spam sources and open relay hosts on our central mail relay host, the spam still comes. For one thing, there are more sources and more open relays. Eastern European networks have opened up (Russia and Romania, in particular) and Asian networks have grown (why anyone expects me to read messages in the international standard Korean font, I don't know -- those simply go into the trash). But the latest trick used by spam generation programs (you don't think anybody actually types those in, do you?) is to make up a fake address using the target address's mail exchange machine as the domain for the from address.

Why did I get this message?

I have received a number of inquiries along the lines of, "why is someone from UNT sending me such a message?" The only catch is that it never touched the UNT network until it was delivered. People either forget or don't know that the from address can easily be made up and does not even have to be a real address (if you ever have configured E-mail service in Netscape, remember that you are prompted to enter your E-mail address -- nothing stops you from making up a fake value). It appears that those who write spam generation programs think that a from address with the domain's mail exchanger as the domain is less likely to be rejected by a spam filter process.

Take the following example header from a spam I recently received:

Received: from unknown (HELO symail.kustanai.co.kr) (182.155.161.240)
by pet.vosni.net with smtp; 12 Jul 0102 12:09:56 -1000
Received: from mta85.snfc21.pibi.net ([163.151.25.32])
by rly-xr01.nihuyatut.net with smtp; 12 Jul 0102 02:06:32 -1100
Received: from [134.91.242.118] by smtp4.cyberecschange.com with SMTP; 11 Jul 0102 15:03:08 +0900
Received: from unknown (HELO rly-xw01.otpalo.com) (104.61.113.59)
by mta21.bigpong.com with local; Thu, 11 Jul 0102 23:59:44 +0300
Reply-To: <Lovely3616e58@hotbot.com>
Message-ID: <033a47b55b6b$7423a0c2$5ca67dd8@lhutqn>
From: <Lovely3616e58@hotbot.com>
To: Lovely@mailhost.unt.edu
Subject: The miracle drug is finally here!

This one is not from unt.edu, but the "to" address is to an ID on "mailhost.unt.edu". Mailhost.unt.edu is the primary mail host for unt.edu. Most mail bound to or from the UNT campus passes through that address. It's no secret. It's how the Internet works. That address is available from the Internet registry service so that any other site on the Internet will know where to direct mail bound for the unt.edu domain. This process is automated and happens unattended. That's what makes spam so easy. Nobody's watching because, given the volume of E-mail, nobody could.

The way you can tell the path of a message is to read the "Received" lines from the header. Most E-mail programs hide the header and just show you the basic from, to, and subject information, however, there's usually an option to view the whole header. If you look at the example above, you can see that it originated on otpalo.com and passed through Korea before it hit the UNT server.

I've seen similar examples with a from address which contains "unt.edu" but a quick glance at the header quickly shows that it is just a spammer trick.

Resigned to spam?

One of the reasons I am resigned to spam is that the alternative is to give up E-mail. I have been online for so many years that my E-mail address has appeared on many E-mail mailing lists, Web pages, and news groups. Any time you subscribe to a mailing list and especially, if you post your E-mail address or a mail-to on a Web page, your address is likely to end up on spam list. Even providing a legitimate commercial vendor with your address may lead to its inclusion on a spam list. Once the E-mail leaves your computer, your address is fair came for whoever finds it along the way.

So, before you jump to conclusions about who's responsible for spam, remember that you are. The more you disseminate your address through normal use of the Internet, the more likely it will end up on a spam list. The odd thing is that I can't imagine anyone spending money because they got a spam E-mail. Sometimes I think that if we ignore it, it just might go away. If we delete it without reading it, there's no reason for anybody to send it. You can always hope.


* Please see this month's Link of the Month for more ideas about dealing with Spam. We've written on the topic of Spam a lot through the years. "But is it Spam?" is another Network Connection article on this emotional topic.