by Javantea aka. Joel R. Voss
Analysis: Jan 9-Aug 26, 2006
Write-up: Sept 8, 2006
Spam Server Analysis 0.6 [sig]
Spam Server Analysis 0.4 [sig]
Spam Server Analysis 0.1 [sig]
50 MB of Test Spam [sig]
Spam servers are generally accepted to be among the worst netizens currently residing on the net. Most are zombie botnets, some are open relays or proxies, but some are legitimate businesses in foreign countries. Since spam is illegal in the US, any server sending spam (with quite a few exceptions) is committing a crime. Of course, legislators have no concept of legitimate enforcement, so the fact that spam is a crime does not affect the level of spam that users receive.
Detection, analysis, and blacklisting of spam servers is the proper method to eradicate spam servers. While certain methods of unblacklisting will be required, blacklisting has no downsides. Occasional spammers will not be blocked until they make themself a nuisance.
Spam servers hide by using the obscurity of their origin and unwillingness of network admins to blacklist them. My intent in writing software to analyze spam servers is to give the security and anti-spam community accurate data on the origin of spam. There are different methods to be tried against different spam methods. Knowing the numbers and the types of spam systems will give us the ability to decide upon what methods to use against them.
Blacklisting of known offenders works well against repeated spam offenders. Blacklisting of ranges works well against a widespread botnet problem or the use of dynamic ips and anonymous wireless access, but has the unintended consequence of blocking legitimate senders from those ranges. Bayesian filterning works well against widespread botnets and ipv6 networks (where ranges are impractical). Statistical filtering works with low entropy spam senders. SpamD works against poorly implemented attack systems, which is not future-proof. Obsfucation of e-mails works against unsophisticated spiders. Free anti-virus services will work against large groups of infected machines with users that have time to use them properly. Anti-virus services are vulnerable to more advanced viruses (polymorphic, etc).
When a spam server sends spam, most of the data is unreliable. In fact, the URLs could be joe jobs. Therefore, the only reliable data is the data written by the local mail server on the ip address of what server it received the mail from. This can be found in the Received: header. Since the received header can be rather ugly, a Perl script must be written to ensure proper filtering.
4 types of Received messages: from domain.com (domain [ip]) by domain.com (blah) with blah id blah forThe script simply searches with regex for:
; date via service
A typical spam:
Received: from localhost by ASLinWs01.altsci.com with SpamAssassin (version 3.1.3); Fri, 25 Aug 2006 18:06:17 -0700 From: "Rhonda Nicholas"Output of the script:
To: Subject: $888 Deposit Bonus Date: Fri, 25 Aug 2006 23:34:30 -0300 Message-Id: <53032102247942.F5CF32FB0E@AKQYFZ> X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on ASLinWs01.altsci.com X-Spam-Level: ********** X-Spam-Status: Yes, score=10.4 required=10.0 tests=RCVD_IN_XBL,SUBJ_DOLLARS autolearn=disabled version=3.1.3 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----------=_44EF9E89.D986D298" X-UID: Status: R X-Status: NPC X-KMail-EncryptionState: X-KMail-SignatureState: X-KMail-MDN-Sent: ... ------------=_44EF9E89.D986D298 Content-Type: message/rfc822; x-spam-type=original Content-Description: original message before SpamAssassin Content-Disposition: inline Content-Transfer-Encoding: 8bit Received: from 85uom7uo.fe45i.ameritech.net ([220.127.116.11]) by ---------------- with Microsoft SMTPSVC(6.0.3790.1830); Fri, 25 Aug 2006 17:56:42 -0700 Message-ID: <53032102247942.F5CF32FB0E@AKQYFZ> From: "Rhonda Nicholas" To: Subject: $888 Deposit Bonus Date: Fri, 25 Aug 2006 23:34:30 -0300 MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Thread-Index: K7Xv5km5HgnpYUmghBEtoi4DyOrPMRqKL5M5 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit Return-Path: email@example.com X-OriginalArrivalTime: 26 Aug 2006 00:56:43.0443 (UTC) FILETIME=[7F6C3030:01C6C8AA] At Vegas Lounge Casino, we are so sure you are going to love our games that we are giving you up to $888.00 FREE just for trying our Casino. $ 888.00 FREE! Click Here Now! http://chelate.info.stainmayjon.com/v/v22
Obvious improvements can be easily made to this script:
If you are interested in developing Spam Server Analysis, feel free to