Safe from the Spam Flood?by Brian McWilliams, author of Spam Kings
There's new technical evidence that recent warnings about an impending email tsunami may have been a false alarm.
Earlier this year, experts at Spamhaus.org warned that proxy-based spamware programs, including Send-Safe, had added a new feature that could frustrate efforts to blacklist network addresses used by junk emailers. One report quoted Spamhaus leader Steve Linford as predicting that "internet users are going to be flooded in spam" as a result of the new development.
But researchers at CipherTrust have since discovered a debilitating design problem in Send-Safe's feared new "ProxyLock" feature--a weakness so severe that it makes the enhancement unusable in most cases.
"The way they implemented ProxyLock is seriously flawed, and that's why we're not seeing any evidence that spammers are switching to it," said CipherTrust research engineer Dmitri Alperovitch, who recently disassembled the Send-Safe software.
Like a lot of spamware programs, Send-Safe has long relied on proxy computers (often virus-infected Windows PCs running an internal SMTP server) to send spam without revealing the spammer's true IP address. But the IP addresses of those proxies are eventually discovered by blacklist operators such as Spamhaus, and the addresses are blacklisted.
The new ProxyLock feature, which was added in Send-Safe version 2.20, is intended to send out messages instead through the mail servers affiliated with the ISP responsible for the proxy. In other words, if Send-Safe is configured to use a Trojaned PC connected to the internet via Comcast, the spamware will attempt to send messages out through the Comcast SMTP server, not via an internal SMTP server in the proxy.
Since most blacklists try to avoid collateral damage, it's unlikely they would blacklist a major ISP's primary mail servers. Hence the fears that Send-Safe's ProxyLock could enable spammers to circumvent DNS-based filters.
But Alperovitch found something interesting while studying ProxyLock.
When Send-Safe users select the software's "use ProxyLock option," the program looks up the mail exchange (MX) records associated with the hostnames of the proxies--typically, the MX record of the ISP whose network the zombie is connected through. The program then attempts to forward the email through the servers that are listed in the MX records.
The problem with this approach is that the MX record contains the servers that accept mail for the target domain. It does not necessarily contain the list of servers that are used for outbound SMTP connections by ISP customers.
In fact, says Alperovitch, almost all large ISPs separate their inbound and outbound mail servers, due to the need to perform different types of processing on each kind of server. (For example, spam filtering on inbound messages, or traffic shaping on outbound emails.)
Consider the example of a proxy PC connected to the internet via Comcast cable. The Send-Safe software would do a look-up on the MX record for Comcast.net, which shows gateway-s.comcast.net and gateway-r.comcast.net as the domain's mail exchanges. But attempts to send spam to non-Comcast addresses through those servers will fail with an SMTP "551" error code. That's because Comcast's outbound SMTP servers are accessible via the hostname smtp.Comcast.net.
Similarly, if using a proxy connected to the internet through Verizon Online, Send-Safe would attempt to send spam using relay.Verizon.net, as shown in the domain's MX record. But legitimate Verizon Online users use outgoing.Verizon.net as their SMTP server.
Since the majority of spam proxies come from large ISPs such as Comcast and Verizon, spamware programs that depend on MX look-ups will have difficulty taking advantage of proxy-to-SMTP spamming, says Alperovitch.
A better approach might be to check the SPF record, if any, for the proxy's domain, which could reveal the IP addresses of authorized outbound mail servers. But that technique could fail as well, says Alperovitch, since the IP address of the server that accepts SMTP connections from subscribers may be different from the IP address that's stamped in the email headers seen by receiving mail systems.
John Levine, author of The Internet For Dummies, says spamware programs might do better to try to obtain SMTP server settings from the email client on the proxy computer. Qualcomm's Eudora, for example, stores this information in a file called Eudora.ini, while Microsoft Outlook uses a section of the Windows system registry called OMI Account Manager. (Many viruses and worms currently retrieve information from and/or modify the registry keys in the OMI Accounts Manager section.)
But even if a proxy-to-SMTP spamware program could identify the proper outbound mail server, many ISPs employ other forms of protection against outbound spamming, such as rate limiting and authentication, which could foil the ProxyLock feature.
In response to CipherTrust's findings, Linford acknowledged that ProxyLock would fail in cases involving major ISPs. But he said many ISPs are still vulnerable.
"This trick will still find tons of MX mail servers of small and medium-sized ISPs which will happily relay if the message is coming from a client IP," says Linford.
Linford points to recent research from MessageLabs as proof that spammers have had success in using ProxyLock. The email security and filtering firm reported that the percentage of spam emanating from proxies dropped from 79 percent in October 2004 to 59 percent in February 2005. MessageLabs said the shift suggests that spammers had migrated toward the use of the new Send-Safe feature.
But Alperovitch says CipherTrust's own data doesn't corroborate this trend toward spam emanating from "legitimate" mail servers operated by large ISPs.
In any case, no one has come forward with data showing that spammers are actually using the ProxyLock feature; the increased volumes of spam from ISP mail servers could simply be the result of hijacked accounts, throwaway accounts, webmail spamming, and other tactics, says Alperovitch.
Still, someone at the SpecialHam.com spammer's forum was offering a "proxy-to-SMTP" service last week. According to a message at the site by someone calling himself Phantom, "I can take any list of mailing proxies and run them through a special custom prog [that] will spit out the corresponding resolved domains [and] the corresponding SMTP mail servers of that base domain."
While experts may continue to debate the seriousness of the ProxyLock threat, one thing is fairly certain. Send-Safe is having difficulty distributing its software to would-be customers. The Russian company's domain, send-safe.com, is currently not responding, nor is a recent replacement, send-safe.biz. However, copies of the program are still available on the internet, and existing installations of the program remain capable of downloading fresh proxies from Send-Safe.
Brian McWilliams is the author of Spam Kings and is an investigative journalist who has covered business and technology for web magazines including Wired News and Salon, as well as the Washington Post and PC World, Computerworld, and Inc. magazines.
Return to the O'Reilly Network.