Here's the bad news: Spam is impossible for you, as the end user, to prevent. You just can't do anything about that. Much like junk mail you receive in the normal mail, it's the sender who controls whether you're a target. This is the first misconception to deal with; you can manage spam using automated systems to minimize the time you have to deal with it manually, but the only way to stop receiving it is to stop the spammers themselves.

So how do spammers get away with it? Surely there are hordes of angry users, law enforcement, and lawyers itching to shut them down. There are, but spammers are usually pretty sneaky. As you saw in Lesson 3, obfuscation techniques are applied to the e-mail contents to make sure it reaches its destination -- these same techniques are used to keep the spammer out of court and spamming.

The simplest way for spammers to stay free is for them to purchase a server or mailing service based in another country. Although the United States, Canada, and Europe have antispam laws, countries such as Russia and China do not. A spammer based in the United States who sends spam from her server in China is not technically committing an offense, and this makes it very hard to shut them down via legal action.

Spoofing E-Mail

Purchasing a server in Russia can often be an expensive task, so many start-up spammers who don't want this cost select to spam from their own country. To hide the source of the spam (and to make it harder to block), they forge the e-mail header information. The header is the information that's used to make sure the e-mail ends up in the right place. It's also used by your e-mail client to display the From, To, and Subject fields. If you use Outlook, you can view the header information of an e-mail by opening it and selecting View > Options from the toolbar. The headers are shown in the Internet Headers box, and look similar to Figure 4-1:

Figure 4-1: Example e-mail header.

Enlarge image

Although some information in Figure 4-1 has been blanked out for privacy reasons, you see roughly the same type of information in the headers of your e-mails. For legitimate e-mails, the information in the header is a simple way to get some technical information about the path your e-mail took.

Fortunately for spammers, it's extremely easy to forge this information. To demonstrate just how simple it is, you're going to spam yourself with a spoofed e-mail. Before continuing, you need to know the hostname of your ISP's (Internet Service Providers) SMTP (Simple Mail Transfer Protocol) server -- it's usually smtp.isp- domain .com (where domain is the name of your ISP). You can find this information from your e-mail client configuration, or on your ISP's support Web site.

Spoofing Your Own E-mail

To spoof your own e-mail, follow these steps:

1. Open a command prompt by going Start > Run and then typing cmd if you use Microsoft Windows NT, 2000, or XP, and command if you use Microsoft Windows 95 or 98.
2. Click OK and a command prompt window appears. Next, complete the following steps carefully and exactly -- if you make an error, start again! You may find this difficult, because you can't see what you're typing, so take your time.
3. Type telnet smtp.myisp.net 25 and press Enter. Replace smtp.myisp.net with the hostname of your ISP's SMTP server (you can get this information from your e-mail client). The display will clear and a line of text should appear.
4. Type HELO spammer.com and press Enter.
5. Type MAIL FROM spam@spammer.com and press Enter.
6. Type RCPT TO: you@youraddress.com and press Enter. Replace you@youraddress.com with your normal e-mail address.
7. Type DATA and press Enter.
8. Type Hello, this is a spoofed message and press Enter.
9. Type . and press Enter.
10. Type QUIT and press Enter.
11. Close the console window.

Figure 4-2 shows the output from this SMTP session. Although the commands typed into the session are visible in Figure 4-2, they probably aren't visible on your screen. This is normal and doesn't affect the exercise.

Figure 4-2: A manual SMTP session.

Enlarge image

If you wait a few minutes, and then check your e-mail, you should find an e-mail sent to you from spam@spammer.com. The process you've just completed manually is the same process used by your e-mail client every time you send an e-mail. The difference is, because you completed the session manually, you had far more control over the information used to construct the e-mail header that allowed you to fake the details.

As you can see, forging e-mail is extremely easy when you know how. Spammers use this technique to change the sender name and e-mail address for every message, which means blocking all e-mail from one address won't keep you spam-free.

When you signed up with your ISP, you may have noticed something in its AUP (acceptable use policy) that discussed open relays. An open relay is an SMTP server that doesn't have any security policies to control who it may receive e-mail routing from, and send e-mail to. This is a major issue in the war against spam, because spammers can use these open relays to send huge amounts of forged e-mails with relative anonymity.

Most open relays are created by home users with broadband Internet connections who install and configure applications without understanding the implications.

There are also a small number of corporate system administrators who inadvertently configure their corporate e-mail servers to be open relays, too.

These open relays are invaluable to spammers, and information on them is often put up for sale. So not only are your computers being used to spam an innocent victim, your bandwidth will soon be flooded with spammers using your relay.

You can easily check whether your computer is an open relay using Active Ports, which was covered in Lesson 2. If Active Ports shows a process listening on TCP port 25, it's very likely you have an SMTP server running. You should investigate immediately!

ORDBs

Because open relays are such a menace to everyone other than spammers, ORDB (Open Relay Database) systems were created. These are publicly accessible servers on the Internet that maintain lists of domains that contain open relays. The idea is for the major network organizations through which huge amounts of Internet traffic (and thus e-mail) travels to use these databases for e-mail blocking. When e-mail is sent through one of these organization's servers, the source address is checked against an open relay database. If a match is found, the e-mail is rejected. It's not perfect, but it does cut down on spam a little.

Instead of worrying about what to do with the spam you already get, it's a good idea to try to avoid being targeted in the first place. There are some simple steps you can take to minimize your exposure.

Address Use

Spammers have a much harder time finding you if they don't know you exist. Although they often search new domain registration records looking for targets, or just send out huge amounts of e-mail to random recipients, they mainly prefer to work from known positive address lists. That way, they can ensure a higher return on their work. Keeping your e-mail address secret isn't as easy as it sounds though -- almost everywhere you go on the Internet companies ask for your registration details. You've probably noticed that as soon as you sign up for one newsletter or offer, others quickly follow.

Instead of supplying your real e-mail address, sign up for a free account with a provider such as Hotmail or Yahoo!. Use your throwaway e-mail address when providing contact details, and when it becomes overloaded with spam, simply close it and create a new one. Keep your real address private, and only give it out to people you know.

Web Site Contact Details

If you have your own domain and publish your own Web site, the odds are that you've put a Contact Us link on one of the pages. The normal format of this link is a mailto directive, such as mailto:me@mydomain.com. Spammers use Web spiders to crawl the Web and find e-mail addresses embedded in Web pages, so they can easily pick up your address from your Web site. Instead of providing a mailto link, use a script written in PHP or ASP (Active Server Pages) to automatically deliver the e-mail to you.

This is the reason Figure 4-1 has the e-mail addresses blanked out -- don't make life easy for the spammers!

Turn Off Read Receipts

Spammers might find you by accident, but if you stay off their known positive lists, you're likely to be ignored. By turning off read receipts in your e-mail client, you're helping to prevent the spammers from knowing their e-mails got through.

Don't Click Links

If you do receive spam, make sure you don't click any Web links in it. This is especially true for the "If you do not wish to receive these e-mails, please click here" type of links. Despite the promise of removal, you're guaranteed to be marked as a known positive address if you respond to the e-mail. Resist the temptation!

Don't Open the E-Mail!

If you receive an e-mail you know is spam, delete it immediately. As you learned in Lesson 3, simply opening the e-mail is enough to activate a Web bug and get your address confirmed. If you're unsure whether an e-mail is spam or not, most e-mail clients allow you to save the message as plain text without opening it. If you use Outlook, the Autopreview option shows you the first few lines of the message body in plain text to make spam diagnosis easier. However, no matter what you do . . .

Don't Use the Outlook Preview Pane!

The Outlook Preview Pane is possibly one of the biggest e-mail related security risks. To delete an e-mail, you need to select it, and simply by selecting an e-mail, Outlook accurately renders its contents into the Preview Pane; Web bugs, malware, and all. In other words, if you have a malicious e-mail in your Inbox and the Preview Pane is enabled, it's very, very likely that you're infected. Turn it off!

Install Security Patches

Make sure you keep up to date with security patches for your e-mail client, and your operating system. As you learned in Lessons 2 and 3, your computer is only as secure as its weakest component. When a security patch is released, malicious programmers are usually quick to take advantage of all the people who haven't installed it yet. Spammers use security issues just like spyware programmers -- don't be caught off guard!

Only Read Plain Text E-mails

HTML e-mail is a very big security issue, as you learned in Lesson 3. Unfortunately it's also very user friendly, and so you may not want to make this sacrifice. You need to consider your options carefully, however, because the opportunities for a malicious e-mail to successfully attack your computer are vastly reduced if e-mails are always viewed as plain text. There are a number of simple add-ins that will perform this conversion for you, such as E- Mail Sentinel Pro.

Most new e-mail clients include their own basic form of antispam or Junk Mail filtering. Microsoft Outlook 2003 comes with a fairly comprehensive Junk E-Mail filter that gives you some control over how your mail is managed.

Configuring Outlook Junk E-Mail

To access the filter options, open Outlook and go to Actions > Junk E-Mail > Junk E-Mail Options. From this dialog box you can manage how Outlook responds to incoming e-mails. The first tab, Options, instructs Outlook as to how sensitive spam detection should be. There are actually only two levels of sensitivity, the remaining two options allowing the filter to be turned off or configured for preapproved senders only. It's generally a good idea to start off with sensitivity set to Low, because it's easier to mark spam that the filter misses than to locate legitimate e-mails in a folder full of spam. Figure 4-3 shows the available options:

Figure 4-3: Outlook 2003 Junk E-mail Options.

At the bottom of the dialog box is a checkbox labeled Permanently delete suspected junk e-mail. You should never check this because Outlook can occasionally determine a legitimate e-mail to be false positive spam e-mail; if it's deleted permanently, you'll never even know it was incorrectly detected. This becomes important when you begin to train the filtering system.

The remaining tabs in the Junk E-mail Options dialog are self-explanatory, and allow you to configure e-mail addresses that either should always be let through the filter, or should always be blocked.

After enabling the Junk E-mail filter, Outlook begins to detect spam. Initially, you may find that some legitimate e-mails are being flagged as spam, so you need to tell Outlook what it has done wrong. Simply open the legitimate e-mail and select Actions > Junk E-mail > Mark as Not Junk. Outlook then modifies its spam detection rules accordingly.

Bayesian Filtering

Outlook 2003 is the first version of Outlook that comes with a generally decent spam filtering system, but it's still a long way from perfect. If you receive a lot of spam or find that the Outlook filtering isn't doing the job, you may need to upgrade to full Bayesian filtering.

Bayesian filtering is a system that has a fairly complex implementation, but is easy to understand in principle. It's effectively a self-learning filtering system. Bayesian filtering uses some complex mathematical probability calculations to decide whether the e-mail being scanned is spam or not spam. It bases the final decision on the contents of all the legitimate e-mails and all of the spam you've received up to that point. This is an extremely effective filtering system, because it constantly learns and adapts to the e-mail you receive.

As a practical example, imagine you're a keen tropical fish keeper. You've signed up for tropical fish information newsletters, which you receive weekly. When you install your Bayesian filtering, you show it a list of spam and a list of ham so it can build its initial database. In the list of ham were a number of fish newsletters, each containing some information on a medicine called Methylene Blue. The following week, you receive another newsletter. When the Bayesian filter scans the letter, it notices that Methylene Blue has shown up a couple of times in the ham e-mails, and not at all in the spam e-mails. On this basis, it lets the e-mail through.

Now imagine a friend of yours has also installed a Bayesian filter, but he doesn't like tropical fish. When he configured the filter he supplied it with e-mails containing the phrase Methylene Blue that he considered to be spam. Whenever your friend receives the tropical fish newsletter, the Bayesian filter sees that Methylene Blue shows up in spam e-mails a number of times so the e-mail is blocked.

In practice, the decision to block or allow e-mail is based on more than a single string of text in the message, but the same principle applies. By learning your e-mail habits, Bayesian filtering can effectively reduce the spam you receive by more than 99 percent. Part of the reason it's so effective is because it relies on you, the end user, to teach it what to do. Much like a small child, you tell the filter what's good, what's bad, and if it gets something wrong you let it know what it did wrong.

If you've had an e-mail address for any length of time, you no doubt noticed a gradual increase in the amount of spam you receive (if not, you're one of the lucky ones!). And if you were unlucky enough to accidentally open spam e-mail, you may have noticed it was quickly followed by more spam. It's no coincidence -- spammers use clever tracking mechanisms to monitor whether their e-mail is deleted, opened, or even forwarded to another person.

The most obvious and basic tracking mechanism is a read receipt. A read receipt is a flag in the e-mail header that tells your e-mail client to return the status of the e-mail to its sender. Through this system, the spammer can obtain basic information about whether you read or deleted the e-mail. Every popular e-mail client (such as Outlook or The Bat) has an option to deny read receipts for public e-mail received from the Internet. If you use a corporate e-mail system, such as Microsoft Exchange, the system administrator usually has the ability to force your e-mail client to return read receipts so beware!

Web Bugs

A more sophisticated tracking system is achieved through web bugs. In Lessons 1 and 2, you learned how adware systems are used to track your Web browsing and application usage habits. The same principle applies to e-mail. Using HTML e-mail, a spammer can include a reference to a script on its server that's executed every time the e-mail is opened and the content is loaded. To achieve this, a single pixel, transparent GIF image is included in the e-mail. This GIF is invisible to the reader, but essential to the tracking system. When your e-mail client loads the image, the tracking script on the spammer's server is executed, completing the vicious cycle. This is the reason you should never open an e-mail you have good reason to believe is spam.

If you forward an e-mail with a Web bug in it, the spammer will know exactly who you forwarded it to and retrieve personal information on them. E-mail client security vulnerabilities are an absolute goldmine for spammers, the chief culprit being IFRAMEs, which are discussed in the following section.

One of the most effective desktop Bayesian filters available is SpamBayes, shown in Figure 4-4. SpamBayes is an Outlook plug-in that monitors incoming e-mail and applies Bayesian filtering before it arrives in your inbox. It's extremely easy to configure, and very effective at filtering spam.

Figure 4-4: SpamBayes configuration.

To begin using SpamBayes, simply download the Outlook add-in and follow the installation wizard. You're asked to supply two sets of e-mails: one set of spam and one set of ham. If you don't have enough spam to train SpamBayes at the moment, simply skip the configuration and wait a few days until enough has built up in your inbox. You can then restart the training process by opening the SpamBayes manager from the toolbar icon, selecting the Training tab, and then clicking Start. Figure 4-5 shows SpamBayes processing the selected spam and ham folders:

Figure 4-5: SpamBayes training.

You'll find that within a week of training SpamBayes, the spam you receive will be cut down dramatically.

One extremely interesting feature of SpamBayes is the ability to see the clues used to detect whether a message is spam or ham. When you select an e-mail (either spam or ham), and then select Show spam clues for current message from the SpamBayes menu, SpamBayes generates a statistical summary for you, similar to the one shown in Figure 4-6:

Figure 4-6: SpamBayes statistical analysis.

Enlarge image

It can be very interesting to see exactly which words and phrases trigger the Bayesian filter!

Network Bayesian Filtering

If you have more than one computer that downloads e-mail, you might find it practical to use a different type of filtering system. Because the Outlook Junk E-mail filter and SpamBayes are client-side filtering systems, they can only protect the computer on which they're installed. To provide more comprehensive spam filtering from a single computer, inline spam firewalls are used. Spam firewalls such as No Spam Today are similar to a proxy server in that they sit between your ISP's e-mail server and your home network, scanning all incoming e-mail regardless of which computer it's destined for.

One of the best programs in this genre was SpamAssassin; however, McAffee has commercially discontinued the product and absorbed its functionality into a different suite.

Inline spam firewalls are favored by large organizations for a number of reasons. First, they're easier to manage than individual desktop filters -- although users lose the individual control over their spam filtering, from a corporate point of view, the overall result is far more effective. Second, once an organization is sufficiently large, the licensing costs for desktop applications become enormous. It's far more economical to spend $2,000 on one spam firewall than to buy 1,000 desktop licenses at $5 or $10 each. The more popular corporate spam firewalls include the Barracuda and GFI Mail Essentials.

Moving On

Congratulations on completing this course! Over the last four lessons you've learned a lot of technical information and practical steps about how to stay safe on the Internet. Spyware and spam are serious issues, but they can be managed with the right knowledge and tools.

The learning process never ends, and there's always something new to investigate! This course has given you a solid knowledge foundation in the world of spyware and spam, as well as the tools to protect yourself. Although the threats and issues may slowly change in future, the basic principles won't.

Make sure you do the assignment and take the quiz for this lesson; they cover elements from all four lessons and will help fill in any gaps. Finally, don't forget to stop by the Message Board to discuss spyware, spam, and security issues with your instructor and fellow students.