How to deal with spam

In this second article regarding spam, phishing and Joe-Jobbing, I am going to look into ways of handling spam prevention by employing some simple techniques.

Do not respond to Chain Letters.
Do not forward the various chain letters you receive since they simply contribute to a list of forwarded users for future harvesting.

Do not reply/bounce spam messages
It is rare, if ever, that a spammer will use his own email address to spam you with - therefore, never reply to the email or use one of the various auto-bouncing programs to send the spammer a 'go away' email. You are simply then spamming some poor Internet user who happens to have been used as the sender email address.

Report spamming IP addresses
It is a fairly simple process to report a spammer's IP address to the appropriate ISP. Firstly, you need to view the 'headers' of the email. Within each email there is hidden information which identifies where the email really came from, these are the headers, and look something like this:

Received: from mail1.abc.com (mail1.abc.com [124.211.3.78]) by mailhost.abc.com (8.8.5/8.7.2) with ESMTP id LAA20869 for ; Tue, 18 Mar 1997 14:39:24 -0800 (PST)Received: from alpha.abc.com (alpha.abc.com [124.211.3.11]) by mail1.abc.com (8.8.5) id 004A21; Tue, Mar 18 1997 14:36:17 -0800 (PST)From: rth@abc.com (R.T. Hood)To: mailto:tmh@abc.com Date Date: Tue, Mar 18 1997 14:36:14 PSTMessage-Id: X-Mailer: Loris v2.32Subject: Lunch today?

The lines all mean something:

• Received: from mail1.abc.com (mail1.abc.com [124.211.3.78]) by mailhost.abc.com (8.8.5/8.7.2) with ESMTP id LAA20869 for ; Tue, 18 Mar 1997 14:39:24 -0800 (PST)

This identifies that an email is sent from mail1.abc.com at IP address 124.211.3.78 and was received by mailhost.abc.com with and internal id of LAA20869 for user tmh@abc.com.com on Tuesday 18th March 1997 at 14:39:24 -0800.

• Received: from alpha.abc.com (alpha.abc.com [124.211.3.11]) by mail1.abc.com (8.8.5) id 004A21; Tue, Mar 18 1997 14:36:17 -0800 (PST)

This identifies that the mail was sent by alpha.abc.com at IP 124.211.3.11 to mail1.abc.com which gave it an ID of 004A21 on Tuesday March 18th 1997 at 14:36:17

• From: rth@abc.com (R.T. Hood)

The mail was sent by rth@abc.com whose real name is R. T. Hood

• To: tmh@abc.com

The mail is addressed to tmh@abc.com

• Date: Tue, Mar 18 1997 14:36:14 PST

The mail was sent at 14:36:14 on March 18th 1997

• Message-Id: rth031897143614-00000298@mail1.abc.com

This is the global Message ID that is assigned to the message as it travels around the Internet. Local ID's, such as the ones above, are specific to the mail servers that it travels through prior to getting to it's destination.

• X-Mailer: Loris v2.32

This identifies that the mail was sent using program Loris version 2.32

• Subject: Lunch today?

The subject of the email is 'Lunch today?'

You can view email headers yourself by right clicking on an email message in Outlook and selecting 'Options'.

From Outlook Express, open the email, select File > Properties. When the Properties option opens up, select 'Details' and then the 'Message Source' button.

In the above sample, the lowest entry in the header information (i.e. the first) is the originating IP address and with this information, you will be able to report the spammer.

The next step is to simply copy all of the email header information into a new email and send it to your ISP (for example abuse@cwcrawley.co.uk). Be warned however, ISP's that I have had dealings with in the past, generally ignore these emails unless you are persistent.

If that's the case and spam starts to become a serious problem for your business, there are other prevention systems that can be employed to dramatically reduce it. Simply get in touch with me for further information.

Read more!

Spam, Phishing and Joe Jobbing

Email is a widely accepted way of communicating these days and as with the traditional method of postal mail ('snail mail') - a lot of what they deliver is junk!

However, the days of 'Readers Digest' leaflets and 'Congratulations! You've won £1 million on the lottery' letters, promising everything and delivering nothing, seem tame compared to the sinister undertone the Internet has brought to the whole subject of 'junk mail'.

So how do you identify what is spam and what isn't? To use its correct name, Unsolicited Commercial Email (UCE), spam is a commercial email which has been sent to you unsolicited (i.e. you didn't ask for it) and it is trying to sell you something.

The concept has been muddied in recent times with the American 'Can-Spam' Act doing more damage than good in the campaign to stamp down on Email misuse. Many people refer to spam as 'anything I didn't ask for'. On that basis, if I were to email you without first initiating the communication, am I spamming?

In reality, no I'm not. However, if I was to send that same email out to 10 different people, it could be argued that I am spamming.

Unfortunately, Spam has a number of different guises that make it equally more difficult to identify. These types of emails include:

• Blatant attempts to sell Viagra, breast enlargements, potions, mortgages or so-called 'herbal remedies'
• Attempts to entice you into subscribing and paying into dubious pyramid schemes and/or reselling techniques
• Dubious emails trying to get you to subscribe to supposed 'free pornographic sites' or other illegal adult oriented content.

While the three above are quite obviously the result of spamming techniques, there are a couple of others that may not at first be classed as spam, but almost certainly fall into that category:
The 'You are my friend, please forward this on to 10 of your friends' emails.

• The 'AOL and Microsoft are paying $1 to the relief fund for every email that's forwarded on' approach.
• The Jokes and funny riddle emails that are sent to you, but are also copied to 30 other people in the sender's address book.

Let's look at the above 3 and explain why they should be classified as spam:

Next time you get a chain letter email asking you to send it on, take a look at the whole message. Scroll through and take a look at the numbers of email addresses that are quoted in the email as the message has been orwarded all around the world. This method makes for perfect pickings for any unscrupulous person looking to 'harvest' all those email addresses and use them to peddle their own spam.

There is absolutely no way that Microsoft, AOL, or anyone else for that matter, can track and trace who forwards emails let alone where they will all end up. This is simply a 'harvesting' technique, another way to achieve item number 1 above.

While jokes and riddles may be funny and amusing, they contribute further to anyone looking to fulfill item number 1. Yes, one more method of 'harvesting'. If you do insist on forwarding these emails, ensure that you delete all previous email addresses from the body text before you do and further ensure that you forward only to people using the blind carbon copy option (BCC) of your email client.

Email harvesting is big business. It was recently discovered that a spammer who sends 15 Million emails per month selling his $50 herbal remedy (which he/she purchases for $5), gets upto 7% return. In this case, you're looking at a profit of $472,500 per month!
Likwise, a spammer may resell your email addresses onto other spammers for up to $100 for 100,000 addresses.

One of the largest spamming techniques over recent years is what's called the 'Nigeria 419' or 'advance feed fraud' scheme. This is where an email is received from supposed dignatories of South African, Dutch, UAE parliaments, etc., requesting assistance to transfer millions of US dollars out of their country. In return for your help (and upto £30,000 advance payment) you are promised 10ASP - 20ASP of the money.

'Nigeria 419' is called such because it is believed to have originated in Nigeria and violates code 419 of the Nigerian Criminal Code.

Wikipedia contains a lot of information on 'advance fee fraud'.

'Phishing', on the other hand, is more of a targetted way of extorting money and/or stealing your identity.

The most common 'phishing' techniques often appear in your mailbox posing as official email from banking organisations and/or finance companies, such as PayPal, Mastercard or Visa. These are cleverly styled and look as if they are genuine. Often these emails have official logos and images attached to them.

The point of these types of emails are to dupe the recipient into clicking the link in the email (which again is made to look like it's directing you to the official website), and then persuading the user to submit confidential information, such as your bank account details, usernames, passwords and pin codes. Once the 'phisher' has this information, he/she can log into the real site and transfer/withdraw your funds as well as potentially stealing your identity and obtaining loans and hire purchases in your name.

Finally 'Joe-Jobbing' is more of an irritation than a targetted attack - however, in some cases it can be carried out in a malicious way to detrimentally affect a business or personal reputation.
The term 'Joe-Jobbing' actually comes from a hosting company, joes.com, who in 1996 was subject to an attack whereby a spammer sent millions of emails forging the return address to make it look like the owner (Joe Doll) had sent the spamming email. This was done in response to 'joe.com' suspending their account for an original spamming offence.

Since then, the term 'joe-job' has referred to anyone emulating the original scam.

Most 'Joe-Job' exercises go un-noticed until the affected innocent target becomes flooded with bounces to emails which don't exist.

In its true sense, a 'Joe-Jobbing' exercise should only be called such when it is attempting to attach blame to an innocent party. For example, sending an email that suggests it has come from mail@barneysbait.com in an attempt to sell the recipient a dubious product could certainly do Barney and his business some harm and potentially get him disconnected by his ISP - however, common spamming techniques these days rarely use the real 'from address' and forge them to look like they are being sent from an innocent party.

Read more!

The quest for superspeed not that far away

With all the cabling companies and telecoms providers trying to compete for a slice of the broadband market coupled with an ever increasing requirement for faster speeds - it's not surprising that we're not far away from getting speeds which are already offered in other parts of the world.

With the BT trials of ADSL2 and ADSL2+ already well underway, and the promise of speeds up to 25Mb/s, it's already looking to be over powered by a new technology recently approved by the ITU-T.

VDSL2 (Very high-bit-rate Digital Subscriber Line) may hold the future of broadband and Internet usage for business and private users around the UK. In it's specification document, it discusses the potentials of being able to offer 100Mb per second synchronously (both download and upload). It is being billed as a potential platform from which to base 'triple-play' services as offered by NTL, Telewest and WightCable.

Encompassing high definitiion TV (HD-TV), telephone (VoIP) and broadband services down the single copper connection, it provides a real cost saving to standard fibre networks currently in existence.

As always, it is not without it's limitations. Currently VDSL2 is set to only be able to provide service at ranges of approximately 2km from the switches, however at greater distances, the technology promises to offer service at around speeds comparable with ADSL2 and ADSL2+ (up to 25Mb/s)

There are a number of articles regarding the technology available and anyone wishing to read further about the technology should visit:

• http://www.lightreading.com/document.asp?doc_id=74641&site=lightreading
• http://www.adslguide.org.uk/newsarchive.asp?item=2243

Already, manufacturers such as Linksys and DLink are launching modems and routers which are capable of handling ADSL2+ speeds - it wont be long before VDSL2 compatible units are soon to be available. My advice, if you are considering the purchase of a DSL modem or router - look out for an ADSL2 or VDSL2 compatible model. The technology is built in such a way that they are interoperable and will provide a much greater return on Investment for your money.

As someone who works very closely within the telecomms and Internet marketplace, I will certainly be following the developments of this technology and post further entries as I hear about them.

Read more!

Peer to Peer and the effects on an ISP

An interesting problem raised it's ugly head the other week.

I used to manage the network and infrastructure for many clients. A couple of those clients were experiencing sub-optimal routing of the network on one of these clients, resulting in latency (sometimes as bad as 2 secs!) and even dropped packets of information. I conducted all the usual tests and nothing seemed to point to an issue. My last ditch attempt to identify the cause was to have a look at the routing equipment provided by our upstream providers.

Did some tests on the Cisco 3640 Transit Router and found the CPU usage to be abnormally high (averaging at 98%)... but why? the router is certainly capable of handling the upstream connectivitiy, so it had to be something else.

I made some further investigations and sent my findings up to the transit provider, who indeed confirmed my findings that the Cisco was at fault. We pulled out the logs from the router to find out why it was occuring and this led to some interesting results.

All routing equipment has what is known as PPS (processes or packets Per Second) - this is the number of concurrent requests that it can handle at any one time. The 3640 Router has a threshold of 30,000pps and it seemed from our logs that the problems with the overuse of the CPU was down to the router having to deal with more than it's pps threshold.

But what could do such as thing? the nature of Internet traffic means that a small packet of information is sent outward and then the data is streamed back to the client - what could use constant processing and be slowing up the entire network? The cause of the issue is actually down to a nice guy called Bram Cohen.

Bram is the author and inventor of 'Bit Torrent', the Peer to Peer application accredited for the slow demise of the Music/Movie Industry.The way that BitTorrent works is quite revolutionary. instead of downloading a file from a single server (thus putting extreme load on one central system), the BitTorrent software allows for a single file to be broken up into segments and downloaded from multiple sources and then 'restitched' together again on your computer.

Let me try to explain it without geekspeak: Lets say that 100 people are downloading a file, each one of those people are downloading segments from the other 99 people at the same time. Therefore, the file is able to be distributed faster, quicker and with no load on a web server or system.

Now the problem with this is that one file, may be downloading from 100 other people at the same time, but you could also be sharing that file with another 100 people (uploading), therefore, one single file is now contributing to 200 processes.

So, 200 Processes for a single file, lets say you are downloading 20 files (200 x 20) equals 4000 processes, now multiply that by just 100 customers (4000 x 100) equals 400,000 processes....
...you get the idea.

We sent our results to Cisco who confirmed that Peer to Peer software was the cause of this problem and asked me to carry out some tests - namely blocking some of the ports announced as Peer to Peer software and checking to see how the router handled normal traffic.
This in itself posed an interesting problem. Finding the appropriate ports responsible for Peer to Peer.

I found all the ports that were obvious and compiled an Access List - the ports affected were as follows:

• Kazaa and FastTrack Clones TCP and UDP Port 1214
• eDonkey and Clones TCP and UDP Ports 4661 to 4672 TCP Ports 5555, 4242, 3306, 2323, 6667, 7778
• WinMX and Napster TCP and UDP Port 6257, 6699
• BitTorrent TCP and UDP Ports 6881 to 6889
• Gnutella TCP and UDP Port 6346

I put my Access-list in place and waited for the fallout over the next 24 hours. Surprisingly, there were no complaints and nobody seemed to notice any difference.

The reset of the Router apparently masked the supposed 'fix' because it had been rebooted, therefore the CPU and memory usage had been reset, so it wasn't overloaded this time. However, we saw no drop in our bandwidth usage and a few selective checks gave me cause for concern.

I loaded up and visited http://torrents.gentoo.org and started a download of the Gentoo ISO and sure enough, the file would not download - however, I then visited a 'less legitimate' site and successfully started a download of a well known movie currently in the cinema. But Why? surely the ports that I had blocked should stop this? apparently not.

upon further investigation I missed some key information that had made this entire 'test' pointless. Legitimate Peer to Peer software applications which use standard 'trackers' to initiate requests were indeed blocked (meaning that all legitimate use of Peer to Peer was being blocked) - however, illegal use of BitTorrent (software/movies/music/pornography etc) has evolved and become a lot smarter.

he newer Peer to Peer hybrids are now not using the 'standard' ports as above, but have decided to grow. Due to the number of corporate providers that block these ports on firewalls and routers, software writers have gotten smarter and are now using any port between 29100 and 65535.

Blocking this number of ports is simply impossible - not only because the load put on any device to process this number of rules would result in exactly the same problem (latency and speed issues), but it would also affect normal surfing, online gaming in fact, pretty much all Internet access.

So, what do you do? in an online world where illegal downloading of software/music/movies seems to be the norm - how do you monitor/track/stop it? Is it possible?

If and when ISP's start to block this kind of traffic, new providers will simply pop up charging a little more for the service, but with no port restrictions. It's happened before with NewsGroups and IRC.

Can you force your customers into using a service which does not allow the use of those ports? if Microsoft have their way (http://www.theregister.com/2005/06/16/filesharing_microsoft/), it'll be impossible. But, as always, only time will tell.

Read more!