How to deal with spam.. 1

How to pass spam on to Sophos. 1

My important messages from outside Flinders are being quarantined ! 2

I'm unable to send mail to a non-Flinders address, and I get something about backscatterer.org! 2

Backscatter 2

A partial solution. 3

Symptoms. 3

I'm receiving bounce messages from a non-Flinders mail server, claiming I've sent spam.! 4

I'm receiving lots of spam or bounce messages! 4

I'm receiving spam from myself! 4

My email is being rejected as spam! 4

How can I tell where the spam came from?. 4

How to avoid getting spam.. 8

What is spam?. 9

 

 

How to deal with spam

 

Flinders University uses multilayered anti-spam measures to reduce the amount of incoming spam. These systems are updated every ten minutes to ensure that we detect new spam as quickly as possible. However, despite our best efforts, a small percentage of the million or so spam messages per day slip through.

 

If you receive spam there are a number of ways to deal with it:

 

  1. Delete it (never reply to spam)
  2. Pass it on to our anti-spam vendor Sophos (see How to pass spam on to Sophos below) and then delete it.

 

Another method some people use to deal with spam is to report it to their local or University support person. Unfortunately, this achieves nothing since our spam defences are completely automated and attempting to manually block individual spam messages is fruitless.

 

 

How to pass spam on to Sophos

 

 

Sophos maintain an automated service which allows customers to submit spam samples. This allows Sophos to perform research on spam for future improvements to their anti-spam products. This service doesn't acknowledge submitted spam samples OR have any effect on our anti-spam measures except to hopefully improve them in the long term. Submitting a spam sample will not block another similar spam message from getting through in the near future.

 

 

From Microsoft Outlook

 

1. Create a new email message

2. Address it to: is-spam@labs.sophos.com

3. Click on the 'Attach Item' button, select one or more mail items.

4. Click OK, or drag and drop the selected item(s) into the new email.

5. Send the email

 

From Mozilla Thunderbird

 

1. Select the sample

2. From the toolbar choose Message > Forward > Attachment

3. Address it to: is-spam@labs.sophos.com

4. Send the email

 

From other email clients

With other email client use the option 'Forward as Attachment' option.

 

 

 

 

My important messages from outside Flinders are being quarantined!

 

Flinders uses Sophos Puremessage which quarantines spam and sends recipients a daily digest (list of received spam), which can be used to release any legitimate mail. However, if this is a regular occurrence then log into the Puremessage user interface and white list the sender.

 

I'm unable to send mail to a non-Flinders address, and I get something about backscatterer.org!

 

Firstly lets define backscatter!

 

Backscatter

Backscatter is when mail with a fake return address is sent to a server, which instead of refusing the email while the delivery attempt is happening; accepts the message for delivery and then changes its mind later.

 

This usually occurs because virus/spam checking is an intensive process which takes too long for the mail server to maintain the smtp connection with the sending server. Instead to avoid tying up resources on both the sending and receiving mail server the messages are put in a queue for offline processing.

 

With a properly configured server this isn't an issue; because any virus carrying mail is logged and discarded; while SPAM is usually quarantined and a spam digest of some sort sent on to the recipient (just in case they want the message). However, the problem occurs when anti-virus/spam software has been configured to send the sender of the message a "you sent virus/spam to us" or the mail is undeliverable for some reason message in an email from the Mailer-Daemon.

 

This is called backscatter and becomes a major issue when a spammer or virus sends huge amounts of mail to a backscatterer with the email addresses of innocent third parties! The third parties end up with mailboxes full rubbish messages.

 

Backscatter is notoriously difficult to stop; because we still want to receive legitimate messages from remote Mailer-Daemons such as the "users mailbox is full" when we actually send a message to someone.

 

A partial solution

 

A number of organisations maintain what are called blackhole lists. These lists contain internet addresses of machines which have sent out spam or appear to be compromised in some manner during a certain time period. One of these lists is the backscatterer list, which Flinders uses to determine if we'll accept or reject messages from remote Mailer-Daemons.

 

Unfortunately there are some mail servers which perform a process called Address Verification when they first receive an email from another server. This process effectively attempts to send a message back to the sender of the received mail to see if the address is legitimate and only accepts the incoming message if the verification succeeds. There are a number of major issues with this approach:

 

  1. It doesn't work. Remember that the sending address is the address of an innocent third party. Hence, the mail server of an innocent party gets probed and the address comes up as legit.
  2. This behaviour is a form of backscattering and as such the offending server ends up on a backscattering black list.
  3. During a big spam attack it spreads the damage around by loading up other mail servers.
  4. Anyone using a backscatterer list to reject messages from a backscattering Mailer-Daemon, rejects the Address Verification, and as a result the original message is rejected as well.

 

Symptoms

 

The main symptom is that your email to someone fails with a message like

 

host someremotehost[120.244.226.66] said: 550 5.7.1 <fred@frednowl.com.au>... recipient denied, because MX 10 'wirenth.cc.flinders.edu.au.' [129.96.252.76] for <john0008@flinders.edu.au> rejected address saying: Service unavailable; Client host [203.12.160.182] blocked using backscatterer.dnsbl; Sorry 203.12.160.182 is blacklisted at http://www.backscatterer.org/?ip=203.12.160.182; see http://www.flinders.edu.au/contact/ for Flinders Contact details))

 

This can be somewhat confusing; because you were sending the message to fred@frednowl.com.au; but it appears that a server at Flinders rejected the message!

 

What the error actually means is that the server someremotehost, with Internet Number 120.244.226.66 tried to do an address verification for your address (john0008@flinders.edu.au) against a Flinders server called wirenth, which promptly replied we don't accept mailer-daemon messages from 120.244.226.66; because it's a backscatterer! As a result someremotehost refused your email and tried to explain why.

 

 

I'm receiving bounce messages from a non-Flinders mail server, claiming I've sent spam.!

 

A standard technique used by spammers is to fake the return address of their spam messages so that an innocent third party receives any bounced messages. As a result most mail servers quarantine or discard spam instead of bouncing it back to the sender. Unfortunately, some misconfigured mail servers bounce spam back to the sender, which results in double the waste of resources. The best method to deal with this is to delete it, as the fake addresses are usually selected at random.

 

I'm receiving lots of spam or bounce messages!

 

We deal with roughly a million spam messages a day, so if you're only receiving ten or so .

 

The best way to deal with small amounts of spam is to delete it. If you're receiving hundreds a day then feel free to discuss it with your local support person.

 

I'm receiving spam from myself!

This is a standard technique used by spammers to attempt to get around anti-spam measures and also to get the recipient to read the spam messages. If you're concerned, check the detailed headers of the message for the actual source of the email, which will not be a Flinders address; but the best method to handle this spam is delete it.

 

My email is being rejected as spam!

 

There are a number of reasons mail sent from Flinders may be detected as spam by other organisations. To limit this Flinders checks outgoing email against its spam rules. If your mail is flagged as spam there are a number of things to check

 

  1. make sure the message has a subject
  2. try to reduce shouting (lots of typing in CAPITALS)
  3. don't include in your email links to web sites that might be found in spam messages
  4. don't try to send an unzipped or un-archived program or executable as an attachment with your email. A lot of antivirus and anti-spam measures block the mailing of executables

How can I tell where the spam came from?

 

If you have the time and inclination then it's possible to find out where the spam came from.

 

By default email clients usually hide most of the information about the route that a message took to get to the recipient. However, nearly all email clients allow the user to examine the source of the message (look for something like View Source under the view toolbar item).

 

The important thing to note is that the latest headers are at the top!

 

Firstly we have the return path, which supposedly indicates that the mail came from innocentvictim@flinders.edu.au , which is one of our email addresses. However, looking further down the mail came from unknown [203.100.170.36], which isn't in our address range of 129.96.xxx.xxx and as the message is spam we can safely assume the address is faked!

 
 
Return-Path: <innocentvictim@flinders.edu.au>
X-Original-To: inno0001@flinders.edu.au
 

Here was where one of our mail delivery servers delivered the mail to inno0001 (innocentvictim@flinders.edu.au)

 
Delivered-To: inno0001@flinders.edu.au
 
 

This section is where the mail delivery server makasa performed the spam/virus checks

 
Received: from makasa.cc.flinders.edu.au (localhost.localdomain [127.0.0.1])
        by localhost.localdomain (Postfix) with SMTP id 5C3D041F1
        for <syst0001@flinders.edu.au>; Tue, 25 Nov 2008 20:38:22 +1030 (CST)
 

This section shows the mail delivery server makasa receiving the message from one of our mail gateways prideth

 
Received: from prideth.cc.flinders.edu.au (prideth.cc.flinders.edu.au [129.96.252.53])
        by makasa.cc.flinders.edu.au (Postfix) with ESMTP id 565884195
        for <syst0001@flinders.edu.au>; Tue, 25 Nov 2008 20:38:22 +1030 (CST)
 

This section shows the mail gateway prideth performing spam/virus checking

 
 
Received: by prideth.cc.flinders.edu.au (Postfix)
        id 2CCAA47BF1; Tue, 25 Nov 2008 20:38:22 +1030 (CST)
Delivered-To: innocentvictim@flinders.edu.au
Received: from prideth.cc.flinders.edu.au (localhost.localdomain [127.0.0.1])
        by localhost.localdomain (Postfix) with SMTP id 1A3C347BF2
        for <innocentvictim@flinders.edu.au>; Tue, 25 Nov 2008 20:38:22 +1030 (CST)
 

 

This section shows the mail gateway receiving the message from ahlawat.com (probably not the real source of the message); which claims to have an internet address number of 203.100.170.36.

 

Sadly; the only thing we can trust about this section is the 203.100.170.37 address. 

 
Received: from ahlawat.com (unknown [203.100.170.36])
        by prideth.cc.flinders.edu.au (Postfix) with SMTP id 319AD47BF1
        for <innocentvictim@flinders.edu.au>; Tue, 25 Nov 2008 20:38:12 +1030 (CST)
 

This section contains the subject of the email and the faked from address; note that the spammer has set the To or destination address to innocentvictim@flinders.edu.au, to cause maximum confusion and to try to get innocentvictim to read the message.

 
To: <innocentvictim@flinders.edu.au>
Subject: 78% of people in your locality, are not satisfied with their daily earnings. I can shift it.
From: <innocentvictim@flinders.edu.au>
MIME-Version: 1.0
Importance: High
Content-Type: text/html
Message-Id: <20081125100814.319AD47BF1@prideth.cc.flinders.edu.au>
Date: Tue, 25 Nov 2008 20:38:12 +1030 (CST)
 

Finally this section shows our antispam engine checking the message (unsuccessfully) 

 
X-PMX-Version: 5.5.0.356843, Antispam-Engine: 2.6.1.350677, Antispam-Data: 2008.11.25.95211
 

Came from off campus

 
X-PMX-Comment: External mail

 

The percentage the message matches our spam rules is 12% (we reject at 40%). Spammers are experts at tailoring their email to minimise the chances that they'll be detected by automated systems!

 

X-PMX-Spam: Probability=12%, The following antispam rules were triggered by this message:
        Rule                 Score Description
        CTYPE_JUST_HTML      0.848 HTML-only mail, with no text version
        HTML_NO_HTTP         0.100 Html part does not contain 'http://'
        BODY_SIZE_1100_1199  0.000 Message body size is 1100 to 1199 bytes
        BODY_SIZE_5000_LESS  0.000 Message body size is less than 5000 bytes.
        FROM_EDU_TLD         0.000 From domain contains a .edu TLD
        NO_REAL_NAME         0.000 From: does not include a real name
        RDNS_NXDOMAIN        0.000 Sender's IP address has no PTR record
        RDNS_SUSP            0.000 rDNS is suspicious
        RDNS_SUSP_GENERIC    0.000 rDNS is generic or doesn't exist

 

 

So after displaying the information and reading through it, what can we do?

 

  1. Find out who actually owns the address 203.100.170.36

 

The easiest way to achieve this is to use a whois database such as http://cqcounter.com/whois/ to find out who owns the address (see a partial result below)

 

203.100.170.36 - Geo Information

IP Address

203.100.170.36

Host

203.100.170.36

Location

KRKR, Korea, Republic of

City

Bucheon, 13 -

Organization

DreamcityMedia

ISP

DreamcityMedia

AS Number

AS17839 DreamcityMedia

Latitude

37°49'89" North

Longitude

126°78'31" East

Distance

8219.78 km (5107.54 miles)

 

 

 

Reading further we also find some contact information

 

 

person:       IP Manager
address:      423-6 Songnae-dong Sosa-gu Bucheon-city
address:      KYONGGI, 422-041
address:      Network Management Center
country:      KR
phone:        +82-32-668-0441
fax-no:       +82-32-666-0721
e-mail:       sanso@cj.net
e-mail:       abuse@cj.net

 

  1. Contact the abuse or admin address by email. Making sure that you include the entire original message source as proof. You'll probably not receive a reply; but at least there's a chance something might be done. Unfortunately, you've probably spent quite a bit of time doing your research and the most you can hope for is that the spammer may be forced to move to another service provider. Alternatively, pass the spam on to our antispam vendor Sophos (see: How to deal with spam)

 

 

 

How to avoid getting spam

 

If the spammer doesn't have your email address then you won't get any spam. A few techniques spammers use to get addresses are:

 

  1. Use a spambot (an automated program that browses web pages, news groups, public email list archives and bulletin boards looking for email addresses).

 

  1. Use social engineering to get people to freely give their email addresses to them. For instance by offering free screen savers, or electronic greeting cards. Spammers even include spam removal links in their spam to try to find out if the address they sent the spam to is real!

 

  1. Directory harvest attacks, where the spammer uses a brute force random guessing of email addresses against a mail server to try to find out which ones exist.

 

Flinders and most other organisations take steps to stop spambot and directory harvest attacks. However, individual users need to take care of their email address.

 

A few simple tips

 

  1. never reply to spam
  2. never click on a link in a spam message
  3. if you receive an email with an attachment from someone you don't know and you're not expecting the message then don't open the attachment
  4. When subscribing to something on the internet that asks for your email address, check the terms and conditions to find out what they'll do with it. In particular look out for text in the signup form along the lines of YES, I give permission for third parties to contact me, and make sure it's not selected or ticked
  5. Don't put your email address on a web page. Use a fill in form or some other method instead.
  6. Avoid setting up vacation messages if at all possible. Automated replies to spam give spammers a confirmation that the address they sent to exists and is in use. If your account receives business related mail that can't wait until you get back then consider changing your work practices. For instance use an alias such as businesscontact@flinders.edu.au which can be attached to a number of email accounts, rather than your own individual one (talk to your local support person for advice).

 

What is spam?

 

A message is spam only if it's both unsolicited and a bulk email.

 

By unsolicited we mean: you didn't ask to be sent the mail and the person sending it doesn't have any authority implicit or explicit to send the message to you. Explicit permission can include such things as subscribing to a mail list, or signing up for a service and ticking the "Yes, I really want to receive your catalogue". Implicit includes messages from your employer, educational institution or service provider.

 

By bulk we mean where the same message is addressed to large numbers of individuals. Bulk emails can be quite legitimate, for instance a customer mail-out or messages from a mailing list or staff news are all examples of legitimate bulk emails.

 

Both unsolicited and bulk emails can be quite legitimate, which is why the definition of spam is unsolicited and bulk. The definition doesn't cover the content of the mail, for instance you may be on a mailing list that occasionally includes offensive messages, but this doesn't make them spam.