Home About UsOur mission, Our name, Contacting us Events & Topics Articles Business General Technical Surveys FAQ

Spam Origins

by Ed Sawicki
Accelerated Learning Center
Tailored Computers

June 14, 2005

In this article, Ed Sawicki presents compelling evidence that most spam originates from hacked Windows desktop computers. See the end of the article for an offer to test newer spam suppression techniques for free.

A few years ago, many people embraced email content filtering (Bayesian filtering specifically) as the best way to suppress spam. At the time, I cautioned that there would be two problems with content filtering:

1. The spammers would be able to overcome this obstacle and consume more Internet bandwidth in the process.
2. Concern over white mail being tagged as spam (false positives) would force people to examine their spam folders anyway.

Both of these things became true. Many spammers overcame content filtering with techniques like adding text to their messages designed to raise the message's "score" so the content filter would accept it. Other spammers put their message in a graphic image that the filters can't read. If you bought in to spam suppression software or services that were based on content filtering, chances are good that it's not working as well now as it did a few years ago.

Most content filtering e-mail systems are setup so the filter tags messages as spam and they are placed in a spam folder for each user. I don't know anyone who doesn't look through their spam folder periodically to see if legitimate messages were erroneously tagged as spam. That's the point of the spam folders - content filtering is fallible. If you have to look at all received messages anyway, what's the point of content filtering? It doesn't turn spam away. It just marks it as spam so it can be handled differently.

---

I don't know anyone who doesn't look through their spam folder periodically to see if legitimate messages were erroneously tagged as spam.

---

Except for certain limited practical applications, content filtering is not the way to go for general spam suppression. The best solution always has been to attack the problem at the protocol level. The SMTP protocol that Internet email is based on was never designed for hostile environments. But there's great resistance to replacing it for many reasons. Any serious replacement will almost certainly involve cryptography and this industry seems to be cryptophobic. Until that changes, we need more effective spam suppression solutions for SMTP.

Designing a spam suppression strategy for SMTP is greatly aided by knowing where spam comes from. We'd use different techniques if most spam was coming from ISP mail servers than we would if it came from hacked Windows boxes. So, where does most spam come from these days?

To answer that question, I've been monitoring my mail server logs for the past few months. Whenever I receive spam, I first determine what part of the world the spam is coming from. I might want to filter based on geography using my GeoBL (pronounced geo bee ul - my term) black list. Then I do a limited port scan on the sender's IP address to determine whether this is a server or desktop and what operating system it's running. The vast majority of spam senders run Windows and the vast majority of those seem to be desktop computers.

A little more than half of all computers I scanned responded similar to this:

PORT     STATE    SERVICE      VERSION
25/tcp   filtered smtp
80/tcp   filtered http
135/tcp  filtered msrpc
136/tcp  filtered profile
137/tcp  filtered netbios-ns
138/tcp  filtered netbios-dgm
139/tcp  open     netbios-ssn
445/tcp  open     microsoft-ds
1025/tcp open     msrpc        Microsoft Windows msrpc
5000/tcp open     upnp         Microsoft Windows UPnP
5101/tcp open     admdog
Device type: general purpose
Running: Microsoft Windows 95/98/ME|NT/2K/XP
OS details: Microsoft Windows Millennium Edition (Me),
 Windows 2000 Professional or Advanced Server, or
 Windows XP, Microsoft Windows XP SP1

Hacked Windows desktops. Admins of Windows servers would never expose the NETBIOS and UPnP ports to the world - would they?

Most of the remainder of the machines scanned were also Windows computers but different ports were open and filtered. Many of these were hacked Windows desktops as well but were running some sort of firewall - that clearly didn't protect the computer from a successful attack.

Some of the spam comes from Linux computers as well, though a very small percentage. Here's an example:

PORT    STATE    SERVICE
21/tcp  open     ftp
23/tcp  open     telnet
25/tcp  open     smtp
80/tcp  open     http
109/tcp open     pop2
110/tcp open     pop3
Device type: general purpose
Running: Linux 2.0.X
OS details: Linux 2.0.34-38

An ancient Linux system with the telnet and pop ports open to the world. Probably hacked. Probably no administrator.

The vast majority of spam comes from hacked Windows desktop computers. This is good news from the spam suppression point of view. We can distinguish most of them from well-administered servers. We can write software to block email messages from them.

---

The vast majority of spam comes from hacked Windows desktop computers.

---

Some of the software exists already. Greylisting is a technique that turns away spam when the sender doesn't follow SMTP rules. Spammers that have hacked Windows desktops run software on them that's designed to send millions of messages at a time. If one of those messages can't be delivered, it is skipped over. Greylisting tells the sender it is busy and to come back later. The spammer's software doesn't come back later and the spam is never received. It's an effective technique for now. To counter this, spammers will need to write more sophisticated code and consume more of the victim computer's resources. Users may notice.

What do we do when spammers get around greylisting? I think we move on to profiling - determining what the sender is - as I did with my limited port scanning but in an automated way. To counter that, spammers will have to block the victim computer ports from being scanned - essentially firewalling the computer. I think we're a few years away from that point but what happens when we reach it - when there's no longer an effective way to distinguish spam from legitimate mail?

At some point we're going to have to abandon SMTP - at least as we know it today.

An Offer

If you'd like to see how effective spam suppression techniques like greylisting are, contact me for a 2-week trial of my eScrubber service - ed@alcpress.com or 503-635-6370. It requires no change to your desktops or servers.

Back