Answers and advice from 'the spam man'

By Christine Polewarczyk, Senior Editor 29 Dec 2005 | SearchDomino.com

Lotus Notes and Domino tips, tutorials and how-to articles Digg This!     StumbleUpon     Del.icio.us

"Spammer-X," reformed spammer and author of the book, Inside the Spam Cartel, offers advice to SearchDomino.com readers on how to effectively fight spam.

SearchDomino.com member: Looking at the raw header of a message, is there a way to track the message back to the originator?

Spammer-X You could trace it back to where the mail came from, but that may be a compromised machine, and will probably not be the address of the spammer. So no, there really is no way to track a spammer down by looking at headers.

SearchDomino.com member: My company has zero tolerance for false positives, but complains about the spam we have been receiving since I was told to turn off our filters. Do you have any suggestions? I know it's sort of a Catch-22.

Spammer-X: Yes, it's a Catch-22 all right. Bayesian filters will help with this, filters that only mark spam if you personally declare it spam. Try network-level filters, deny mail sent from DSL and cable, and use other filters that do not rely on content base. But, really, you should run all filters and just tune them correctly. If your company is really worried, try only flagging spam as spam, not deleting it.

SearchDomino.com member: How can a company block foreign-language spam?

Spammer-X: Look for foreign characters, or a character set that identifies Unicode or some other non-English setting.

SearchDomino.com member: Do botnets set up SMTP servers on compromised machines and then retrieve spam from a centralized or decentralized "server"?

Spammer-X: No, usually they only act as entry points for a spammer. As dumb mail relays, they are only there to hide the source IP address, like a proxy server.

SearchDomino.com member: What is the best way to detect a botnet working within a LAN?

Spammer-X: You need a virus scanner on each machine. Also, run a sniffer on the port and an intrusion detection system on a spanning port. That's a good start.

SearchDomino.com member: How does a hacker control who uses his botnet?

Spammer-X: Usually, each client in the botnet will connect to an IRC server and sit in a channel. They take commands from a master (who has the password). The master can set up the clients to accept spam for delivery or change the port they listen on.

SearchDomino.com member: How successful are real-time blacklists, such as spamhaus in the fight against spam? Is this a changing trend?

Spammer-X: They help, but botnets really disable them. When you have 30,000 new hosts sending spam, it can take a while for those hosts to be added to spamhaus. This is why botnets are so popular.

SearchDomino.com member: Do you have a favorite DNS blacklist providers or are they not reliable?

Spammer-X: Use them. Use every one available.

SearchDomino.com member: What's the purpose of sending spam that is full of garbage/unreadable content?

Spammer-X: To bypass content-based, keyword filters. Spam that has many 'passive' words, such as "Jack the rabbit went to the store 33 2003-Jan," looks more legitimate, even if it contains "Buy Viagra here." It's to beat a frequency analysis.

SearchDomino.com member: I still am not sure as to how the e-mail lists are getting out to the spammers. Do they attack e-mail servers directly to harvest the e-mail addresses? Are there certain SMTP commands that should be blocked?

Spammer-X: Well, yes, some try traversals, like trying to deliver a message to A@user.com, b@user.com, etc. This can be stopped with tarpitting, where each sequential message takes a longer time to be delivered. However, a majority of spammers just hack into mail servers or subscription programs and steal the subscribers. It's easier than you think.

SearchDomino.com member: I notice most spam is only a few K, but I am also seeing more and more spam that is upwards of 30 K. Is size becoming less of a barrier?

Spammer-X: It's harder and there is more setup cost involved, but the returns are greater for the spammer. I think the wide penetration of broadband has given spammers access to more bandwidth. This is why you're seeing larger spam being sent.

Stay tuned next week for part two of our interview with Spammer-X., "Revelations from a reformed spammer."

Tags: Lotus Notes Domino Antispam Software and Spam Filtering,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Lotus Notes Domino Antispam Software and Spam Filtering LotusScript agent moves tagged spam email to junk mail folder Limit the size of incoming email attachments to a Lotus Domino server Stop spam on BlackBerry mobile devices Online crime as ugly as ever Putting a stop to incoming spam on Lotus Notes 6.5 Image-based spam scams on the rise Image spam paints a troubling picture McAfee products vulnerable to code execution flaw A recipe for secure IM success How to protect Lotus Domino Server from spam blacklists

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary