August 17, 2006, 12:37 PM — Ask any Internet user what they hate most about being online and you will usually hear an earful about spam. Spam is considered by many to be the scourge of the Internet. It is certainly a costly problem, both in time and in the costs organizations expend to fight it.
Personally, I spent some time the last few weeks looking at spam and learning about how it is created and how it spreads. What I found was a very interesting and clever process that would-be spammers use to identify targets.
Spam is primarily spread in four ways:
The first, and least common, is spammers that obtain temporary legal and real accounts with ISPs. This is less common because most ISPs quickly shut down these accounts. There are a few ISPs that turn a blind eye, but they are likely already known and blacklisted.
The second method used to send spam is through compromised hosts, usually workstations and home computers on high-speed connections such as DSL or cable modems. These systems are usually compromised and have become part of large networks of zombie systems called bot-nets. The owners of these bot-nets then either use them to send spam or rent them to spammers who use them to send spam. In my research, the cost to send spam through these bot-nets was very cheap - usually only a few dollars per ten thousand addresses.
The third way spam is spread is using web forms. This is an aging strategy, but remains viable. The spammers scan the Internet for vulnerable web forms, then use them to send their spam. This is much less common than before as many organizations have learned this trick and hardened their forms. I tested this by placing a form that seemed vulnerable online. It took about 96 hours for it to be found and once they identified it, spammers began trying to abuse it within one hour. The attempts continued until I removed it. This suggests that the spammer community maintains a database or list of vulnerable forms. They appear to have a level of coordination and communication.
The last, and most common method that spammers use is via open relays. Using HoneyPoint Security Server, a managed honeypot tool my company recently released, I stood up several fake mail systems and exposed them to the Internet. Several things amazed me. First, I was amazed that on average it took less than an hour for the "mail server" to be identified by spammers. Continuous scans for open mail systems are ongoing in most IP blocks. The spammers are very persistent. They are also very clever. They know that people use fake mail systems to track them, so they have implemented subtle checks into their scanning tools to catch fake mail servers. They do this by using less common commands from the RFC and using commands in improper order to test how the system responds. Until I implemented a fully RFC-compliant mail honeypoint, they were able to quickly identify the server as bad. They would then terminate their activity. However, once I deployed a honeypoint that allowed RFC compliance, they quickly tried to adopt it for their use.
From this process I learned that they were doing much more server analysis than I expected before they dump their spam. I also learned that they do a multi-step approach. They scan the server for proper RFC compliance, and then they send a test message to a disposable address. Only after these are complete did they adopt the tool to dump their spam. This is much more cautious than I expected them to be.
I hope this helps you understand a little bit more about spam and how it is sent. Preventing it from originating on your systems requires ongoing assessments for the issues that lead to compromise, bot-nets and bad form and mail deployments. Given the caution and coordination spammers are now using to perform their deeds, it is highly unlikely that the problem is going to be solved any time soon.
