Anatomy of Forged Spam
By George Bilbrey
and Neil Schwartzman, Manager, Compliance and ISP Relations
We recently detected a recent spam run that used the domain of one of Return Path’s businesses – Postmaster Direct. The spammers used some of our header and footer information to make the messages look even more like legitimate mail coming from Return Path. The spam was also noted in a couple of blogs.
This sort of attack is known in the anti-spam community as a “Joe Job” – named for, literally, a guy named Joe Doll, founder of Joe’s Cyberpost, which was attacked in this way as an act of revenge some years ago.
So, let’s use this as an educational opportunity to take a look at how spam and botnets work. Let’s take a look at one example spam:
1. The sending machines appear to be compromised (meaning they were infected by a virus or Trojan horse, known more recently in the industry as “malware”): The sending IP addresses are from all over the planet. Malaysia, China, and Spain. For example, one domain appears to be used for dynamic and static IP address for Telefonica de Espana, a Spanish ISP. None of the static addresses seem to send any significant amounts of email volume. Also, there has been no volume coming from this IP until very recently – a common spammer technique for evading a bad reputation. Port 21(FTP) is open on that machine.
2. An insecure hosting site is used to re-direct web traffic: The spammer “payload” – the URL in the message – points us to an offer at http://a2zwebmedia.com/offer/index.html .a2zwebmedia.com is a Malaysian hosting site. It has all sorts of unnecessary services listening (open ports), very likely permitting unauthorized network traffic. In other words, a great opportunity for spammers to execute a “joe job.”
3. The site in Malaysia redirects to a new domain with a name server that is hosted on somebody’s home computer, http://chraieno.com/. This domain was registered five days ago, with a Chinese registrar. It is hosted on a compromised computer on an ADSL line: chraieno.com – 126.96.36.199 – hn.kd.ny.adsl. The name server that serves us this domain is NS1.FORSTERL.COM, which also serves 12 other domains. These are probably used by the spammer as well. NS1.FORSTERL.COM is hosted on the ADSL machine too – pretty clear that this isn’t a real, legitimate company. No shock, but it has a lot of open ports.
So how does understanding all of that help the legitimate mailer? What lessons can you take from our entirely non-unique tale of woe?
First, it is important to understand that this stuff happens all the time – even to companies like Return Path. Unfortunately, there isn’t a lot that anyone can do to prevent it using currently deployed technology. But it points out why so much legitimate email is viewed by ISPs, at first, with suspicion. And, of course, why your sender reputation is so very important.
The basic lesson, as always: don’t look like a spammer. Specifically, a few things come to mind:
1. Monitor your brands (including all of the URLs that you use in your email offers, even if they belong to someone else.) They can be repurposed as part of a spam run (“joe job.”)
2. Use authentication. The impact on RP would have been worse if we hadn’t had authentication in place for the spoofed domain. We authenticate all our Postmaster email with SPF and SenderID. Most of our email is also signed with DKIM, and we are working on signing the few streams that aren’t today.
3. Avoiding switching IPs. New email volume coming from an IP address looks suspicious, and most of the time it really is the worst kind of spam. Ironically, this is even more true for IPs which send a low volume. Most compromised machines are like the one used to send our sample spam: they appear out of nowhere, sending a low volume of email of hopes of avoiding detection. In any event, build a good reputation on an IP and stick with it. Even a bad reputation is better than none at all.
4. Avoid reverse DNS with an IP address that is part of the rDNS domain name. There are lots of systems that will mistake this for looking like a “dynamic” IP address (one that the ISPs intend for home use). Mail shouldn’t be coming from these.
5. Maintain a stable domain. The age of your domain registration matters. Seeing a lot of mail coming from a domain that was just registered or seeing a URL with a “new” domain is a little fishy (and phishy). If you do need to launch a new domain, be aware of the risks so you can manage them.
In this case, Return Path did all of this but it didn’t discourage the spammer from illegitimately using both our domain name and some of our content in their message. What they did was illegal in just about every jurisdiction in the world, but even once we track ’em down, a legal remedy would take too long.
In the very near future, most ISPs and anti-spam vendors will start blocking unauthenticated mail if the domain owner has indicated that it’s safe to do so. SPF and SenderID allow domains to make an “-all” assertion, and there are options for DKIM being developed. Return Path is actively participating in these discussions, and we’re working on some new products and updates to old products which should simplify the process of detecting forgeries – like what’s happened to us.
It could (and does) happen to anyone. Start protecting yourself now.
About George Bilbrey
George Bilbrey is the founder of the industry’s first deliverability service provider, Assurance Systems, which merged with Return Path in 2003. He is a recognized expert on the subjects of email reputation and deliverability and is active in many industry organizations, including the Messaging Anti-Abuse Working Group (MAAWG) and the Online Trust Alliance (OTA). In his role as president of Return Path George is the driving force behind the ongoing innovation of our products and services. Prior to Return Path, George served as Director of Product Management at Worldprints.com and as a partner in the telecommunications group at Mercer Management Consulting. He holds a B.A. in economics from Duke University, and an MBA from the Kenan-Flagler School of Business, University of North Carolina.