The battle against
Spam is never ending and the honest truth – we’re losing. Why because we, the Internet Community are
guilty of “unknowingly� helping the Spammers
Do you receive Spam
that is not addressed to you yet ends up in your inbox? Believe me if you
received it then your address is in there somewhere. If you have a “contact me�
type form on your site then you’re a target for Spammers. Let me explain how they do it. I’m going to keep this reasonably broad and I
am definitely not going to teach you how to do it
First of all, the
conception that Spammers and Hackers are bored kids is completely wrong – they
are crooks and thieves working in a multi billion-dollar worldwide business and
they are nasty. I know of one story where they shot someone (Not in NZ you’ll
be relieved to hear). Do not get
involved in trying to get even with them, you’ll probably find the number of
attacks on your website increase by 1000% and your bandwidth costs will go
up! You can thwart them and slow the
process down which I will describe a bit later
Right, lets get down
to business. We’ll work this in reverse
order. They want you to buy their
products or services, be it porn site membership, sex products, health
products, computer software or help that kind man in Africa move millions of
dollars into your account (And yes people are still falling for it, only a
couple of days ago a person in Hawke’s Bay lost $3800 to them). Some of these products you will receive and
some you will not, some of these sites just want your credit card number to use
and abuse (anyone reading this who has merchant services will know about the
hassles involved when you get a “claw back� from credit card companies)
OK so to do this they
need legitimate email addresses, the next step up the ladder. Email lists are sold to the above-mentioned
crooks or businesses. So exists a group
of people looking for email address, they use a number of tactics; web crawler
– a piece of software that searches web pages for email addresses (Have you got
your real email address on your web page mailto:yourname@yourdomain.co.nz
???) and passes it back to their database for onward selling; the next is email
guessing smith@company.co.nz, c.smith@company.co.nz and wait for a
response – bingo another real email address for onward selling
The next stage is
sending out all these emails. Most ISP’s
(Internet Service Providers) don’t allow open relay (unauthorized send of
emails from their servers) because of DNS blacklist which we all use to block
incoming emails from known Spammers’ IP addresses, so one method is to find a
website with a “Contact me� type mail form on it that has not got a some form
of security gate on it (Which unfortunately is most of them). A new client came to me the other day because
all his bandwidth had been stolen because the Spammers had used his “contact
me� form for sending thousands of emails – the good news is they only use your
address for a short time because your IP address will end up on a DNS blacklist
and that’s no good to them. The bad news
is trying to get off a blacklist. Ever
had trouble sending emails that don’t seem to arrive? Is your IP address on a
blacklist
“They can’t use my
mail form, we’ve hard coded the ‘To:’ address into the program� I hear you
say. Sorry you’re wrong it’s dead easy
to get around that without even hacking the server. How
Here comes the juicy
bit.
For those of us who
are pre-computerization when a text was a telex, a VDU operator was a typist
and multiple recipients meant getting ink stains on your shirt from the Gestetner you will remember the letter-writing
protocols, which we still maintain in our email formats (Well the format at
least, I’m not sure about some of the content I receive).
For those not in the
fore mention age group To, Cc & Bcc means; ‘To’ main addressee and was at
the top of the letter; Cc, Carbon copy, was literally a piece of carbon paper
between the pages so a copy was made of the original as you typed (with a
bottle of snow paint at the ready!). The
Cc names were printed on the page so the ‘To’ knew who else had received a copy
of the letter; Bcc, was a Blind Carbon Copy and the Bcc address was not typed
on the letter so the ‘To’ and Cc’s did not know that a copy was being sent to
another addressee.
This is still true
with emails today. I bet you didn’t know this but if you send an email and put
and address in the Cc and an Address in the Bcc the person you send it to will
see the Cc but not the Bcc address. It’s
the Bcc facility that the Spammers are exploiting on your “Contact me� form.
“Wait, I don’t have Cc and Bcc on my form� you say. You don’t need to have Cc
and Bcc field on your form for them to be used, they are part of the email
header. An email header looks like this in all operating systems
(“To�, “Subject�,
“Message�, “other headers such as From: Cc: Bcc�
With the use of a
little bit of code in your form or URL they are away and it is that
simple. Or hell we won’t use your form
we’ll create our own form on our site and link it to your page. Now what are the odds of me guessing the
names of those four variables that make up the header? Are yours called:
subject
message or msg
from
A few more steps,
which I won’t say but I’m sure you’re all getting the idea
So you may receive one
email from your “Contact Me� form and the Spammers attach hundreds of Bcc
addresses, which are sent out from your email server, and yes they can change
the content in both the ‘Subject’ and ‘Message’ fields. So if you can’t sleep tonight instead of
counting sheep count emails being sent from your website
Now you’ve all checked
and changed those four names to something a little more secure and I hope
you’re all using ‘HTTP_USER_AGENT’ to ensure your mail function only accepts
requests from your server, the good news, “at last� I hear you cry
The first thing – your
email address, once it’s on a Spammers list you’ll never get it off, they sell
lists to each other. Get rid of it, move
on and start again. Simply do not give
you real email address out to anyone you don’t know or trust, use the facility
that your ISP offers which is ‘aliases’, if your ISP doesn’t offer unlimited
aliases change ISPs. Have several
aliases that you can then use when completing web registration form etc. Once an alias gets onto a Spam list destroy
it. NEVER put a real email address on a website use an alias
Now your website, what
I’m about to say is my personal opinion as a professional website and software
developer. Web security is an ongoing
battle, what is secure today could very well be exploited tomorrow. It’s easy to build a website but hard to
build a good website. If you have a
website developed for you then host the site with the developer and build in to
the contract website maintenance so when (not if) a new threat appears your
site should be updated by the developer. If you build your own sites, which is a lot of fun and rewarding,
consider working with a developer, you do the front-end and let the developer
do the back-end with all the security. If you’re doing it all yourself then surf the web and read up about
security but the Golden Rule is any interaction from a user must be server-side
validated
You can put in Spam
traps but quite honestly unless you know what you’re doing you could end up
regretting it. Much better if you just
add a link to someone else’s trap which most of them encourage you to do so. Read their site information and they’ll show
you how to do it
If you have a website
for commercial reasons then get it built professionally and securely. How would your customers react if they become
the target of Spam because you had a poor website
Remember that it’s bad
websites that gives the Spammers access to your emails so fight the good fight
and tighten up your site. This is but
only one way the Spammers turn us over if you would like some more information
please feel free to contact me, on my alias email address quoteit@bestnet.co.nz I’ll update you as to how many Spam’s I get
on this address.
Article By: Kevin Phillips www.bestnet.co.nz