Monday, April 24, 2006

Spam Message April 24th, 2006

So, unlike most people, I receive very little spam. I am careful about where my email address is listed, and therefore receive virtually no spam. However, I received a spam email today. Let's talk about it. See comments in red.

Header Information:

Return-Path: <willico_60_2000@hotmail.com> Tall tell sign that this is spam. A hotmail account is a perfect way to mask your true identity, and therefore counts negatively towards the spam score.
Delivered-To: ryan@27196.27732
Received: (qmail 24192 invoked by uid 78); 24 Apr 2006 09:45:32 -0000
Received: from unknown (HELO ns-mr11.netsolmail.com) (205.178.149.7) by 10.49.37.11 with SMTP; 24 Apr 2006 09:45:32 -0000
Received: from hotmail.com (bay23-f10.bay23.hotmail.com [64.4.22.60]) by ns-mr11.netsolmail.com (8.13.6/8.13.6) with ESMTP id k3O9jWLk008495 for <--------->; Mon, 24 Apr 2006 05:45:32 -0400
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 24 Apr 2006 02:45:00 -0700Message-ID: <BAY23-F104315454E70A409B46FB9B0BE0@phx.gbl>
Received: from 196.2.124.252 by by23fd.bay23.hotmail.msn.com with HTTP; Mon, 24 Apr 2006 09:44:48 GMT But wait, could it be? Is this a hotmail server?
X-Originating-IP: [196.2.124.252]
X-Originating-Email: [willico_60_2000@hotmail.com]
X-Sender: willico_60_2000@hotmail.com
From: "willico willi" <willico_60_2000@hotmail.com>
Bcc:
Subject: urgent plea for assistance It sounds urgent! Most people don't urgently plea, but we'll let that slide.
Date: Mon, 24 Apr 2006 09:44:48 +0000
Mime-Version: 1.0Content-Type: text/plain; format=flowed
X-OriginalArrivalTime: 24 Apr 2006 09:45:00.0737 (UTC) FILETIME=[C1426B10:01C66783]
... This is starting to look like every other piece of Nigerian spam I've received.

Well, without investigating further about whether hotmail pick ups you ip address when sending out email from their network, I can't comment about whether the email went through hotmail's servers, or whether the email was sent by forging headers.

The IP address 196.2.124.252 does not appear to be a hotmail IP, so if hotmail doesn't pickup the sender's ip address, then this definetly forged.

However, if hotmail does pickup the ip address of the sender, then the sender could be some guy in South Africa sending out email through hotmail.

Regardless of what happens, this emphasizes the importance of having the technology in place to detect these guys before this spam gets into the inbox. Also, reactive technology that can detect this crap and then delete all of the previously sent out email from this spammer would be helpful. Something that I think is great about the new landsapce of email is that emails do not need to be detected as spam right away. It's hard to determine if some emails are spam immediately, so taking some reactive measures after the spammer has been identified would mitigate this problem.

Of course, some email programs are real-time, and therefore making reactive decisions will not work, but ISPs where the email is stored at the same location as the anti-spam software(i.e. Aol, Hotmail, Yahoo, Gmail, etc), this will eventually be possible. This could help in the fight against spam, and only server-side email hosting solutions will be able to provide this service (unless an email add-on is created for outlook/etc).

This is probably a very arduous request however because of the sheer volume of email that large email servers receive. I think there is a middle ground somewhere. We'll just have to think, as an anti-spam community, about where that middle ground lies technologically. Maybe alternative approaches would be effective? I'd be interested to hear anyone's comments on this important issue.

body here....

1 comment:

Rip The Spam said...

Your analysis looks good. Can you please provide more details on how can we use it as email-filter in Outlook or Gmail? Are there settings which can make spam features pointed by you distinguishable to spam filter? I understood we can use hotmail account in filter, but how to analyze things like "Received: from 196.2.124.252 by by23fd.bay23.hotmail.msn.com"?