Of all the services provided via the Internet, e-mail I probably the one that most of us can least afford to see disrupted

Preventing SPAM and E-mail Viruses

By Bill Drennon

Director of Technology

Central Valley Christian School

Of all the services provided via the Internet, e-mail I probably the one that most of us can least afford to see disrupted. It is also the conduit through which most mischief to our computers and networks emerges. It is important for us to learn how e-mail systems can be abused and how to prevent such abuses to our email accounts. The two worst pieces of mail to find in our mailboxes is Spam and virus-infected attachments. Spammers have learned how to probe servers for user account information, "harvesting" addresses not only from Web pages but also from "worms" that attach to Microsoft documents. Self-propagating mailware, in the form of Trojan horses such as ILOVEYOU, can burden or even halt e-mail servers, and bring networks to a halt, as it did to the servers of the British Parliament in early 2000.

This paper will describe some common threats to your email accounts, many of which we are defenseless against by default, and ways that you can minimize damage. The techniques mentioned here implement most of the recommendations mentioned throughout the net as "Best Current Practice" regarding spam.

What is Spam?

Spam is foul smelling, terrible tasting canned meat that as a boy I was often forced to eat. I hated it! I can not overemphasize how much I hated it. I hated its smell. I hated its taste. I usually wound up sneaking it into a trash receptacle. That is how I feel about certain unsolicited commercial email that winds up in my internet e-mail inbox. Thus, it is very appropriate that this royal pain was crowned "spam". May the name stick to unwanted, distasteful, unsolicited, commercial email and never again be associated with any food that I ever have to push down my alimentary canal!

There is an inherent conflict between the openness of allowing free contact and securing a post box from unwanted spam. On the one hand, we find it pleasant to be connected to a long lost friend. Yet, on the other hand, the same openness that allows an old friend to contact us via email, allows ambitious unwanted solicitors to find us. To force our email servers to block spammers completely would also prevent wanted contacts. Thus, a reasonable compromise must be reached.

HOW TO AVOID GETTING ON SPAMMERS LISTS

The best defense against spam is to not get on a spammer’s list in the first place. Knowing how you get on spammer’s lists can help you prevent being added to their infamous lists.

Newsgroups Many spammers go through newsgroup listings to get their email addresses. In order to post a comment in a newsgroup, you must include an email address, but nothing says you have to give your real email address. Either give an unused email address that you setup with something like hotmail or yahoo or make up an email address, such as someone@somewhere.com . If you want a real email reply from a newsgroup, you can mangle your email address. That is write it in a way that a real person can tell what your correct email address is, yet a spammers email-address harvesting web-bot cannot. Let us suppose that your username is bestteacher@cvc.org , Tell your recipients to send email to bestteacheratcvcdotorg or send email to usernameatcvcdotorg where my username is best teacher with no spaces between best and teacher. Get the point. A robot can not figure that out, but most humans can … except possible some palm beach county voters. You can also give a web page URL (address) that contains an emailing form instead of an actual email address.

Webpage Listings There are programs that act as robots going through web pages collecting email addresses. Thus, how do you post email addresses so that friends can find you without spamming programs discovering you? Normally, email links are written in HTML (hyper text markup language) as" <a href=mailto:username@somewhere.com></a> ". Spam harvesting programs look for the form " username@somewhere.com ". You can foil this by posting your email address as a graphic file, such as a "gif". Thus, a real person seeing your webpage would be able to read your email address. However, the spam harvesting robot would only see " <img src="myemailaddress.gif"></img> " and never guess that it is an image that contains your email address. Another way to spoil a spam harvesting robot to your web page is to use a cryptic means to display your email address in html that still is seen correctly by humans. For example, in the code for a webpage, if you write:

mailto:username@somewhere.com

a spam-harvesting robot will never detect it as an email address. Yet it performs the task of

mailto:username@somewhere.com

How can it do that you ask? Well, "m" stands for the keyboard code of "m" and that is what is displayed on the screen. "@" is the colon (:), . is the @ sign and &#99 is a "c". This coding of key letters and symbols is the best way to have a workable email link on a webpage without giving a spam-harvesting web-bot any email addresses!

Address Harvesting Though Domain Name Registries Some email servers register their users or open it up to "finger" or other protocols where spammers can obtain email addresses. We do not do that at "cvc.org". Avoid email servers that allow publishing of email addresses if you want to avoid spam.

Rumplestiltskin Attacks We have certainly had a lot of "Rumplestiltskin" attacks on our cvc.org email server. A spammer will try to guess email names ending in cvc.org. We will get John@cvc.org, mary@cvc.org, etc. After common names have been exausted, numbers are added to the common names such as mary1@cvc.org, mary2@cvc.org. Other programs will use known usernames from their list and end them with cvc.org. Thus once you are on a spam list, I suggest changing your username completely, even if you change email servers. For example, if you were thehunk@hotmail.com and got on a spam list, expect a Rumplestiltskin attack on thehunk@cvc.org on our email server. Use a unique username to help avoid spam.

CC Emails Do not send mass emails using carbon copy. If this is forwarded to others, it may eventually get on a spam list. Instead, send mass mail using blind carbon copy (BCC) and ask others to do the same. There is only one set back. If a person rejects BCC email, they may not get your message.

WEB PAGE FORMS Sometimes web pages ask for your email address or freeware asks for your email address in return for your use of their software. Use the same procedure as with newsgroups. If you do not really want to hear from these folks, write the email address so that you won’t hear from them. Otherwise, give your email address but encript it when possible.

Trojan Worms, Worms Computer viruses and "Trojan horse" programs have plagued computer users since the early days of personal computing. At first, there were non-propagating Trojan horse programs, boot-sector viruses, and program-infecting viruses were the norm. Internet users now face constant attacks from self-propagating mailware such as Melissa, Happy99, PrettyPark, ExplorZip and ILOVEYOU Trojan Horse Programs or Trojan "worms". These programs usually require the recipient to activate them. Once activated, they propagate on their own to new victems. (as does a parasitic worm). They use social tricks like the ExplorZip worm which gives this message:

" I received your email and I shall send you a reply ASAP. Till then, take a look at the attached zip docs. "

Actually, the attached message is an executable file which appears at first glance to be a harmless zip file. It is actually a copy of the worm. Sometimes the email comes unwittingly from a trusted friend. This worm has a nasty payload. It destroys not files on the host computer but drives to which the computer is connected via network. Worms can discover passwords and email addresses on the host computer or shared network computers and FTP or email them to others, creating more spam victims and tying up network lines and Internet lines. Active-X exploits, mail software exploits, and Microsoft Word exploits are common with email attachments.

Invasion of Privacy and DoS attacks via E-mail Some spammers now place hidden JavaScript, Java classes, and "clear gifs" called "web bugs" inside an email. The image is retrieved by HTTP so that the sender can tell if the email is open. Sometimes this information is relayed to others along with your email address. Often "cookies" are left in the machine if browser software is used to read the mail. When an email is opened, a malicious script can prevent the window from closing, freeze the browser, or the entire machine. A script can also automatically open unwanted ads and even pornography. The best prevention is to not open email that you suspect is spam.

NEVER ANSWER SPAM! Whenever you answer spam, you reward the spammer. He knows you opened his email! Also, you will go on a high priority list for spam because they will know that the spam was successful. This is true, even if you are trying to ask to be removed from their list.

DEFENCE ONCE WE ARE ON SPAMMER’S LISTS

Once you get on a spammer’s list, your first line of defense is the email server. It can be configured to block known spammers and to lookout for telltale signs of spam, in order to at least reduce spamming email. We try to do that with our "cvc.org" Internet email server. Yet to determine if an email is requested commercial email or spam is sometimes hard to decipher. If you have email with hotmail, you can request that any email coming to you via BCC (blind carbon copy) or coming from known spamming email addresses be blocked. We have filters in place to avoid much spam on our "cvc.org" email server. Yet, there are signs that you can watch, too, so that you do not have to give spammers the victory once email hits your inbox.

Spammers have very low character. The same character that invades the privacy of your inbox pushes low-life products such as get-rich-quick-without-working schemes, buy-a-degree-without-going-to-school schemes, pornography, etc.

Spam does leave telltale signs when trying to enter your email box that on-the-ball mail servers can stop. Our server at "cvc.org" goes a long way at stopping such spam. Yet it is not perfect. Yet, you can avoid opening those that get through, defeating the intent of the spammer by being aware of those signs:

An invalid "From" address, sometimes violating known constraints on addresses in the domain where it claims to have originated. [For example 76598@aol.com – you can not use all numbers in an aol.com email address. Don’t open email from such addresses.]

An invalid or unresolveable host name in the "From" or "To" address. [Our email server tries to catch that and reject such email. Other email servers let it go. After being spammed enough, you will recognize some bogus addresses and avoid opening such email.]

Extensive use of blind carbon copy (BCC), often in conjunction with spoofing in other headers. [If your name is not on the To list, it is likely spam]

Direct SMTP transmission from a host without a fixed IP address (often a throwaway free dialup account) [This is most easily caught by the server.]

Receipt of the message from a mail server which does not enforce restrictions upon relaying. (For example, we have tight restrictions on who can use SMTP to transmit mail through our server, but some servers on the net are totally open and ripe for Spammer’s use. They particularly like schools with high bandwidth but few user accounts.) [This is most easily caught by the server.]

Receipt of the message from an IP address, netblock, or domain matching a known spammer or "spamhaus". [Servers can often catch this from published lists. However, after being pestered by some of these spammers, you can also recognize the return address of common spammers.]

Message text, which is identical or very similar to that of previously broadcast spam.

Unique headers for telltale errors to headers which betray the use of spamming software.

Conclusions

Spam and mailware, like athlete’s fungus, will always be a nuisance when using email, but a combination of correctly configured email servers and wisdom on the part of the computer user can render the harm minimal.

I suggest that at CVC you not open any email attachment and delete obvious spam without opening it. If you want to see if a downloaded file or attachment contains a virus or worm because you do not have an up-to-date anti-virus program, send the program over to your folder in the lab server and I will check it out for you.