HOW DO SPAMMERS GET AWAY WITH
SENDING THEIR SPAM? (cont'd)
Message headers show the history of a message, and how it found it's way into your mailbox. Message headers can often be difficult to read and interpret, as some of the information can be forged. Here's an example of a message header, taken from a spam message I received:
===================================\
Microsoft Mail Internet Headers Version 2.0
Received: from smtp.acd.net ([207.179.102.146]) by sirius.acdadmin.net with Microsoft SMTPSVC(5.0.2195.2966);
Sat, 13 Jul 2002 04:05:17 -0400
Received: from mail01.mail01 ([208.187.28.180]) by smtp.acd.net with Microsoft SMTPSVC(5.0.2195.2966);
Sat, 13 Jul 2002 04:05:17 -0400
Received: from AspEmail (208.187.28.180) by mail01.mail01 (PowerMTA(TM) v1.5); Sat, 13 Jul 2002 01:06:01 -0700 (envelope-from <loans@lighteningmarketing.com>)
From: <loans@lighteningmarketing.com>
To: grover.joe@acd.net
Reply-To: loans@lighteningmarketing.com
Subject: Loan rates lowest in years!! Get a loan or refinance before its to late!!
Date: Sat, 13 Jul 2002 01:06:01 -0700
MIME-Version: 1.0
Return-Path: loans@lighteningmarketing.com
Message-ID: <REGULUS0WQJrsQOWjrU000022c8@smtp.acd.net>
X-OriginalArrivalTime: 13 Jul 2002 08:05:17.0903 (UTC) FILETIME=[06BDA5F0:01C22A44]
===================================/
Ok. The pertinent part of this message header is as follows:
===================================\
Received: from smtp.acd.net ([207.179.102.146]) by sirius.acdadmin.net with Microsoft SMTPSVC(5.0.2195.2966);
Sat, 13 Jul 2002 04:05:17 -0400
Received: from mail01.mail01 ([208.187.28.180]) by smtp.acd.net with Microsoft SMTPSVC(5.0.2195.2966);
Sat, 13 Jul 2002 04:05:17 -0400
Received: from AspEmail (208.187.28.180) by mail01.mail01 (PowerMTA(TM) v1.5); Sat, 13 Jul 2002 01:06:01 -0700 (envelope-from <loans@lighteningmarketing.com>)
===================================/
Message headers--with regards to reading how the message got to you--are read from bottom to top. So in this case:
- The server at
208.187.28.180 originated a message, and gave it to mail01.mail01,
208.187.28.180 (which--since it has the same IP address--is the same server).
- mail01.mail01 (208.187.28.180) gave that message to smtp.acd.net.
- smtp.acd.net (207.179.102.146) delivered the message to the mailbox server on
our network (in this case sirius.acdadmin.net).
So.
The message was sent from 208.187.28.180. This is the spammer (they can't
fake the IP address that our server saw the connection come from).
Assuming I want to take action on this spammer (which I did),
I need to know who 208.187.28.180 is. To do this, I go to http://www.arin.net.
This is the American Registry of Internet Numbers. If the IP address above
is registered to someone in the US, I'll see it here.
Going to the above URL I entered the IP 208.187.28.180 into
the WHOIS search field and did a lookup. The IP address is registered to
Electric Lightwave, Inc., or ELI.NET. I sent my abuse complaint (complete
with a copy of the above headers implicating their network and a copy of the
message I received) to abuse@eli.net.
Simple as that. Now the ball's in their court. They probably won't
tell me if anything's been done about it, but I've done my part to get this
spammer taken out of commission...at least for now.
**NOTE** Not all IPs will be in the ARIN database, as this database only handles IP allocation for North and South America. Since many foreign countries do not have anti-spam regulations, their servers are open relays quite often. When looking up these IPs you may receive a message that it is handled by another IP registrar, such as APNIC (the Asia Pacific Network) or RIPE (the European Registry). Looking IPs up on those networks are a whole different story, so I'd recommend using a reporting service such as spamcop.net to report this abuse.
So why did I bother going into all the above? I wanted you to know how people can see where the message originated, and how to complain to them. While some of the information in the header can be forged (such as the servername mail01.mail01), the IP address we received it from cannot. This implicates the network, and allows us to take action.
Now, there are some places on the internet that do all this work for you. Websites such as SpamCop.net, for example, allow you to cut and paste the message header and message body into the message and their server will analyze it and automatically generate and send abuse complaints to all parties involved.
What happens when your server permits open relay, and half the internet is sending mail using your server, and the other half is complaining about it? Well, if you don't fix it (i.e. you don't know it's happening yet), then there are places online that maintain databases of servers that are known open relays. These are databases that give a heads-up to other mail administrators, saying, "Hey! If you get mail from this server, it's probably going to be spam!" There are 3rd party software utilities available that allow a mail server to synchronize with these databases and actively refuse connections from any servers listed in them. Many providers (such as Excite.com, yahoo.com, and others) use these lists to prevent receiving mail sent from these non-secure servers. Popular lists include:
relays.ordb.org
bl.spamcop.net
relays.osirusoft.com
relays.visi.com
list.dsbl.org
If your server is listed in any of the above databases (or other databases), then your server will be unable to deliver mail to any servers that subscribe to those databases until you resolve the problem.
**NOTE** The only reason a server will be listed in any of the above databases is that mail server has already been used to send spam, and people have complained about it. The maintainers of the databases do not go out and scan all mail servers; they only test servers that are reported to them as possible open relays. In order to be removed from the listing the server needs to be secured and resubmitted to the database for testing.
HOW TO DETERMINE IF A SERVER IS LISTED
If you're wondering if a server is listed as
an open relay or open proxy, you can visit http://www.ordb.org
and click on the Database Lookups link. Enter the hostname (i.e.
smtp.acd.net) or IP address (i.e. 207.179.102.146) in the provided field and
click Submit Query. Please note that this will only look up the server in
the relays.ordb.org database.
Using the server from the above message header (208.187.28.180),
we can do a lookup to see if this server is listed as an open relay.
Entering the IP address 208.187.28.180 into the database lookup yields no result
in the relays.ordb.org database. However, below where it says the
host is not in the database is a link that says "Look up this host in non-ORDB
RBL's". Clicking on this link will query other databases (like the
others listed above) to see if they have this server listed. Doing so
brings up the following information:
| Host: 208.187.28.180 (208.187.28.180) | ||
| relays.osirusoft.com | Listed: | 180.28.187.208.relays.osirusoft.com descriptive text "[1] Webmercial Direct/lighteningmarketing, see http://spews.org/ask.cgi?S1436" |
| spews.relays.osirusoft.com | Listed: | 180.28.187.208.spews.relays.osirusoft.com descriptive text "[1] Webmercial Direct/lighteningmarketing, see http://spews.org/ask.cgi?S1436" |
Ta daa! Apparently I'm not the only person who's received (and reported) mail from this server. Other people have, and have issued enough complaints that now this server has been listed as an open relay. As such ANY network that employs spam filters that query either of the above databases will actively refuse to accept mail from the listed server. It is the responsibility of the mail server's administrator to resolve the issue and be removed from this list. Which brings me to my next point.....
What does this mean to me??....