Collateral spam
What's new?
It is common practice for spammers to insert false originator addresses
in the mail they send.
"Collateral spam"
is an informal name hinting at the damage caused to innocent bystanders
by this activity of the spammers.
It is also called
"Backscatter".
The domain names misrepresented may be in ac.uk in which case they are usually domains with four components such as dept.college.ac.uk, and they are usually domains which do exist. JANET and JANET organizations are having to handle a significant number of incidents, and the following advice may be useful to JANET mail system managers and others.
- What happens?
-
What can you do about it?
- Write your explanation and apology in advance
- Identify mail addresses to which complaints are likely to be sent
- Ensure that anyone who reads mail to those addresses knows what to do
- Ensure that staff likely to be involved have management and policy support
- Consider whether you will attempt any technical measures
- Note the URLs for the blacklist Web pages
- What can JANET do about it?
- Specimen response text
- Technicalities
- Why do they do it?
What happens?
Spammer sends bulk mail
A spammer launches a vast number of messages into the Internet, all with the same content and all saying that they came from you.
They will travel towards their destinations by various routes, each exploiting one of several poorly managed open relays.
You get failure reports
A good proportion of the messages will be sent to addresses which don't work. Although it's not what is meant to happen, some of these failures will result in mail to one or more of the postmaster addresses within your organization. Some will come to non-existent forged addresses, and postmasters are likely to get those too. All failure reports will have text in addition to the original message; in general you can simply count them and throw them away.
You get complaints
The rest of the messages will be delivered to real people, most of whom may be irritated but will delete them and forget about it. The ones who will do anything at all are a tiny minority, but all of them at this stage think badly of your organization and of JANET and they need customer care. Some will write aggressively, and it may be because they are frightened or hurt.
Some will try to reply to the forged address within your domain from which the message says it came. If that address doesn't work they might write to your postmaster. Some will complain to lots of addresses they hope are relevant in your organization, in the relaying domain or domains and in JANET -- there are even tools for devising such addresses (see abuse.net below).
Some will complain to their service provider; a good ISP will buffer such complaints, will deal with their customer themselves and will send you a sympathetic report. Less thorough ISPs will send complaints rather than reports.
Some people and their ISPs may report you to one or more of the spam blacklists (IMRSS, RBL etc). The RBL is beyond reproach but others may be less strict about adding new entries and you may find yourself blocked from some domains.
Note blacklist URLs (Might be what you were reading before ...)
What can you do about it?
In the short term, nothing.
However, with a little preparation you can limit the damage to your own
organization.
Write your explanation and apology in advance
One possible form of words is given later in this note. You may want to tweak it a bit in response to any particular incident or even to some individual complaints, but what you have to say is pretty much the same each time. You are sorry, but it is not your fault in any way.
Identify mail addresses to which complaints are likely to be sent
You will already have
postmaster, and should have abuse;
consider also addresses in your DNS SOA records
(probably hostmaster)
and in the
RIPE database.
You might wish to publicize some particular address
(perhaps abuse)
close to the front of your Web pages;
it could reduce traffic to the other addresses.
abuse.net
is a service where you can register addresses which you wish people
to use when reporting spam.
If you have not registered anything, people using the service to contact you
will find whatever addresses the operators have devised themselves.
Complaints about spam (Might be what you were reading before ...)
Ensure that anyone who reads mail to those addresses knows what to do
Identifying this forgery is mildly technical,
and you may wish to have an internal address to which your staff can
forward anything about which they are not certain.
It may also be useful to advertise that address locally for the
benefit of staff you hadn't thought of,
and to increase general awareness of the issue.
Think carefully what you want to do with individual complaints, reports from ISPs or mail technicians who know what they're talking about, and automated bounce messages from places where the spam didn't get delivered. How will you identify these or other categories, and what priorities will you assign to each of them?
Ensure that staff likely to be involved have management and policy support
In the worst case, where several hundred thousand pornographic items have been delivered all over the world -- all with your organization's domain name on them -- you may have hundreds of complaints and threats. The work can then be intense, of high profile and distressing; and its direction may need to be from quite a high level in your organization.
Consider whether you will attempt any technical measures
In cases in which only a few addresses have been used in forgery, you may wish to set things up in the aftermath of an attack so that mail to those addresses remains under your control. If they are invented addresses, you might wish to implement them as aliases or in some similar way so that you can manage replies, complaints and bounces to them. In some cases it may be practicable to install additional and temporary MX records in the DNS for the domain or domains affected, diverting their mail to a system better able to cope with the load or more convenient for managing traffic arising from the incident.
If by chance or malice the address of a real individual is a target, you will need to offer the individual some advice and counselling. Their mail address will be useless to them at first, and possibly for some time. For a mailing list address it could be even worse.
In other cases the spammers' programs generate many different forged addresses. By chance a few of them may be real, but you will probably not be able to do much about the rest.
Note the URLs for the blacklist Web pages
You can then check whether you've ended up on them, and if necessary can get yourself off.
What can JANET do about it?
Consolidate complaints
As soon as you learn of an incident, report it to JANET Customer Service. You should send a few copies with complete headers of the spam as it appeared to its recipients (the people who are complaining to you). Some of the complaints and reports you have will include complete headers, but some will have just the From:, To: and Subject: lines -- all written by the spammers and containing very little useful information. Essential for any investigation are the Received: lines written by the recipient's mail systems and by the relay or relays used.
If you see some spam which misrepresents a JANET domain other than your own, again tell JANET. You could also report it to the affected organization directly.
You can report any spam at any time to the address spam-alert@ja.net, where it will be noted and possibly correlated with other similar reports; but to request action please contact JSD as above.
Pursue those responsible
This is very time-consuming work involving world-wide investigation of the relays used, but it is efficient and effective for JANET to do it on your behalf, and where relevant on behalf of JANET organizations collectively. At the time of an attack you will be busy with the local aspects of the problem.
Specimen response text
The following may be a useful start.
You reported an unwanted bulk mail about <subject>[1], because it appeared to have come from an address here at This Research College[2] (troll.ac.uk)[3]. Unfortunately that address was a forgery; the mail had not come from here or through here and our organization[2] is a victim of the abuse just as you are.
The College[2] is subject to the Acceptable Use Policy of our Internet Service Provider JANET, which forbids unsolicited bulk mailing and forgery of parts of mail messages; and we are working with JANET to identify the real origin of the mail you had.
Thank you for reporting the abuse. I am sorry you have been troubled."
Note [1] -- Make some reference to the content of the spam
or its Subject:.
Note [2] -- Alter as you wish to refer to your own organization.
Note [3] -- Give your organization domain name
(normally three components).
Other things you can do (Might be what you were reading before ...)
Technicalities
"From" and "To" addresses
It is common practice for spammers to insert false originating addresses in the mail they send. Their tools supply false addresses in the SMTP MAIL FROM: protocol element, and in the From: line of the message header. The false originator addresses are often the same; if not, the one which recipients see is usually what the From: header says.
Neither of the originating addresses, nor the To: header line, takes any part in the normal delivery of mail. You may think this is a serious deficiency in Internet mail -- and so it is -- but it will be with us for some time. So the spammers can forge whatever they or their scripts feel like, and it won't affect the delivery of spam.
For some time, the false addresses inserted were quite meaningless
-- you probably saw
Friend@public.com.
Addresses in large, global and somewhat impersonal domains
then became common, such as
aol.com,
hotmail.com,
compuserve.com or
yahoo.com.
This note is prompted by an apparent trend to the use of forged addresses
in domains outside the US.
The domain
ac.uk
(broadly associated with JANET)
is one, but it is not alone.
The address which matters for delivery is the one in the SMTP RCPT TO: protocol element; this address is not necessarily recorded anywhere in the delivered message. In particular, the To: header line need not match the delivery address. Where the two addresses are different, some mail systems will insert an additional header line such as Original-Recipient:; it is then not clear which address a recipient's mail program will choose to show.
Where there are lots of recipients for a message, the To: header line may list them all, but it need not. If it doesn't, it may list some of them or may contain some representative address, perhaps with a human-readable part which gives useful information (as is desirable in a mailing list).
In spam, the
To:
header line is usually a single fictitious address intended to mislead.
There are two kinds of exception.
Some spam is delivered with hundreds of addresses in the
To:
header line,
usually the same as the addresses to which the spam was sent.
In other cases an address is given with the same domain name as
that in the recipient's address;
This is not of fundamental importance,
but it can lead naive recipients to think because their domain
and sometimes their own address is in the message header,
that the spammers have personal information about them;
some people find this very disturbing.
It is not clear what benefit the spammers believe they get from either of the above behaviours.
Relaying
In preparation for a bulk mailing, a spammer will assemble a list of recipient addresses and a list of open relays. Typically a list of recipients is on the same CD as the bulk mail software.
A properly configured mail system will only transfer messages
which either start within its own domains authorized by its owner
or are delivered there,
but there are plenty of systems which do not apply such anti-relaying rules,
despite the detailed advice available from
MAPS
and elsewhere.
In fact there are so many of these open relays that a spammer or his software
can afford to use only those which also record defective trace information.
A mail system is supposed to add a
Received:
header line
to each message it handles,
forming a complete record of the path by which the message travels
including its real origin.
Some of the open relays omit details of the previous hop in the path,
and these are the ones the spammers prefer.
The bulk mail software carries out a simple scan of IP addresses to find as many open and defective relays as it wants. Typically they are scattered all round the world, although relays outside the US are preferred. It is then only possible to find the source of the spam by asking the owners of the relays to examine log records. The response rate for such requests is very low.
Most bulk mailings start on Friday evenings, rapidly submitting large batches of recipient addresses to many open relays simultaneously. The relays may be fully occupied delivering the spam all through the weekend and beyond.
What spammers do (Might be what you were reading before ...)
Why do they do it?
Spammers know when sending mail indiscriminately and in bulk,
often with content of limited interest,
that many of their recipients will seek to complain or to retaliate.
It is hardly surprising that they exploit weaknesses of Internet
mail to ensure that such complaints will never reach them.
(Note
that any retaliation is almost certain to be outside
Acceptable Use
for JANET organizations.)
It is less clear what benefit there is to a spammer if the complaints all reach some innocent party rather than failing at arbitrary places in the Internet. One possibility is that because most spammers operate from the US, organizations which they upset in this way and which are also under US jurisdiction would have strong and proceedable legal cases against them. They may think that selecting addresses to forge (and relays to abuse) which are certain to be outside the US reduces that risk.