Here's the bag of tricks that many spammers are using to keep you from
finding out who really sent you the spam:
1. The obvious - find an open e-mail relay, and use it for "e-mail
laundering". Forge the e-mail headers, and the e-mail becomes untraceable.
All you see is the IP for the open relay, and whatever the spammer wants you
to see afterward. The "From" header is always forged, and complaining to
the ISP behind the "From" address is pointless. The most you can do is
complain to the company that owns the open relay, and hopefully they will
close it. Unfortunately, new mail servers appear on the net every day, and
many IT "professionals" setting up these systems are just not aware of the
open relay problem. There are many web pages which have the sole purpose of
finding and listing these open relays.
2. Include a "relay" URL in the spam for potential customers. This URL is
typically a "throwaway" account opened on one of the many free webpage
services (tripod, geocities, angelfire, etc.) with false credentials. The
spammer only expects this URL to exist for a day or two, as the provider
will quickly terminate the page once complaints start coming in. The URL
typically points to a file or page that will redirect the customer to the
true page.
3. There are some businesses that are specifically set up to relay URLs for
spammers. One of these is 1freesite.net (G Stubberfield Enterprises).
Spammers hire the business to set up a relay page on their server, so they
can include this page in their e-mails.
4. Obfuscate the URL in an attempt to make it untraceable. Do you know
that IP addresses can be expressed as a single, decimal digit? Browsers
will accept this digit and translate it into a valid IP address. Encoding
the URL in hex is another trick. Browsers will convert two-digit hex digits
that are preceded by a percent sign into a valid character. The URL
specification also allows usernames and passwords in a URL. This can be
used to mislead. For instance, the URL
http://www.webservice.com:www.server.com@192.168.10.10/spampage.html seems
to point to "webservice.com", but the piece of the URL before the second
colon is really the "username", the piece before the at sign is the
"password", and the real web server is the IP after the at sign! Most web
servers simply ignore the user name and password if they don't need it.
These techniques can be combined to make a URL really hard for a person to
decode.
5. Compose the relay webpage in JavaScript. Encrypt the "real" web page
and any URL's, and have a JavaScript function decode it.
6. Ask customers to respond to the message. Include a valid "Reply To"
header that is different from the "From" header. The e-mail client will
recognize this and send any responses to the "Reply To" address. The e-mail
account set up to receive these messages is usually a "throwaway" address
set up on a free mail service with false credentials.
7. Include an unlisted phone number, which is protected by the telephone
company and is untraceable.
8. Included an executable at the URL enclosed in the message. This
executable is typically compressed to obfuscate its contents from prying
binary file editors. The executable then forwards the customer's computer
to the business's true URL. Anybody who opens this executable file is too
ignorant to know any better.
All of these methods, except for the telephone number and the reply-to
address, are completely reversible to expose the company behind the e-mail.
If the computer can get to the final page, then so can the person operating
the computer, given enough knowledge of the technology involved. There is
one particularly nasty spammer, hosted at sexmansion.com and web69.com, that
includes a doubly-compressed executable in the page that they set up on a
"throwaway" site. Their extremely explicit e-mailings point to this
executable's URL. This executable is a dialer application that redirects
the user's modem to an offshore telephone number and sends their browser to
one of the above mentioned domains. This appears as a charge on their
telephone bill. This business was rather clever with the obfuscating
technology used to hide their presence, but the same technology can be used
to unravel the obfuscation and find the business behind it. ["Greg Searle" via risks-digest Volume 21, Issue 72]
0:00
#
G!
