Spam Server Analysis

by Javantea aka. Joel R. Voss
Analysis: Jan 9-Aug 26, 2006
Write-up: Sept 8, 2006
Botnets
Spam Server Analysis 0.1 [sig]
50 MB of Test Spam [sig]

Introduction

Spam servers are generally accepted to be among the worst netizens currently residing on the net. Most are zombie botnets, some are open relays or proxies, but some are legitimate businesses in foreign countries. Since spam is illegal in the US, any server sending spam (with very little exception) is committing a crime. Of course, legislators have no concept of legitimate enforcement, so the fact that spam is a crime does not affect the level of spam that users receive.

Detection, analysis, and blacklisting of spam servers is the proper method to eradicate spam servers. While certain methods of unblacklisting will be required, blacklisting has no downsides. Occasional spammers will not be blocked until they make themself a nuisance.

Methods of Spam Server Analysis

When a spam server sends spam, most of the data is unreliable. In fact, the URLs could be joe jobs. Therefore, the only reliable data is the data written by the local mail server on the ip address of what server it received the mail from. This can be found in the Received: header. Since the received header can be rather ugly, a Perl script must be written to ensure proper filtering.

Process

4 types of Received messages:
from domain.com (domain [ip])
by domain.com (blah) with blah id blah
for <email@ext.domain.com>; date
via service
The script simply searches with regex for:
Received: from ([^ ]+) \(([^ ]*) ?\[([^\]]*)\]\)

Certain e-mails will have more than one match. This is a flaw in the program and needs to be corrected. An e-mail could (but none have been found) add a false Received line and mark a non-spam server as a spam server. The solution to this is to only accept the Received header written by the local known good mail server.

Data

A typical spam: 

Received: from localhost by ASLinWs01.altsci.com
        with SpamAssassin (version 3.1.3);
        Fri, 25 Aug 2006 18:06:17 -0700
From: "Rhonda Nicholas" <lauren@ringve.com>
To: <uucp@recordsportal.com>
Subject: $888 Deposit Bonus
Date: Fri, 25 Aug 2006 23:34:30 -0300
Message-Id: <53032102247942.F5CF32FB0E@AKQYFZ>
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on
        ASLinWs01.altsci.com
X-Spam-Level: **********
X-Spam-Status: Yes, score=10.4 required=10.0 tests=RCVD_IN_XBL,SUBJ_DOLLARS
        autolearn=disabled version=3.1.3
MIME-Version: 1.0
Content-Type: multipart/mixed;
  boundary="----------=_44EF9E89.D986D298"
X-UID:
Status: R
X-Status: NPC
X-KMail-EncryptionState:
X-KMail-SignatureState:
X-KMail-MDN-Sent:

...

------------=_44EF9E89.D986D298
Content-Type: message/rfc822; x-spam-type=original
Content-Description: original message before SpamAssassin
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

Received: from 85uom7uo.fe45i.ameritech.net ([200.115.206.200]) by mail.pickatime.com with Microsoft
 SMTPSVC(6.0.3790.1830);
         Fri, 25 Aug 2006 17:56:42 -0700
Message-ID: <53032102247942.F5CF32FB0E@AKQYFZ>
From: "Rhonda Nicholas" <lauren@ringve.com>
To: <uucp@recordsportal.com>
Subject: $888 Deposit Bonus
Date: Fri, 25 Aug 2006 23:34:30 -0300
MIME-Version: 1.0
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Thread-Index: K7Xv5km5HgnpYUmghBEtoi4DyOrPMRqKL5M5
Content-Type: text/plain;
        charset="Windows-1252"
Content-Transfer-Encoding: 7bit
Return-Path: lauren@ringve.com
X-OriginalArrivalTime: 26 Aug 2006 00:56:43.0443 (UTC) FILETIME=[7F6C3030:01C6C8AA]

At Vegas Lounge Casino, we are so sure you are going to love our games
that we are giving you  up to $888.00 FREE
just for trying our Casino.
$ 888.00 FREE!
Click Here Now!
http://chelate.info.stainmayjon.com/v/v22
Output of the script: 
200.115.206.200

Future

Obvious improvements can be easily made to this script:

If you are interested in developing Spam Server Analysis, feel free to e-mail me.