Wasted Spam Bits and the Lazy/Stupid Factor

By Larry Seltzer  |  Posted 2006-07-24 Print this article Print

Opinion: Spammers can't be bothered to write proper software or clean up their lists, and the Internet is thus filled with phantom bits that can do nothing but clog the wires.

For several years, until the end of June, I self-hosted my e-mail. My ISP, atypically, offers static IP addresses, and I ran my own mail server and had several domains registered here. Its no surprise I got a lot of spam delivered here, especially through e-mail addresses published for years in articles Ive written. But I thought when I moved my domains, that would change. At the end of June I moved my domains to a hosting account and the DNS for those domains, including the MX records (which point to the mail servers).
I removed all the domain records from the mail server, but in order to check for errors, I left the server on and logging.

Its more than three weeks later now, and guess what? Mail is still pouring into my server here. I didnt think it possible, but the whole episode has actually lowered my opinion of spammers. Theyre still at zero Kelvin on the morality scale, but my sense of their competence has taken a beating.

When you send e-mail, for instance to larryseltzer@ziffdavis.com, at some point a mail transfer agent in the process of delivering your message will look at the "ziffdavis.com" part of it and query DNS to see what the MX record is, and attempt to deliver it to that server. Exactly how this happens depends on a lot of variables, but I think Ive described the essential parts fairly.

In my case, on June 30 I changed the authoritative DNS for my e-mail domains and set the new DNS to point to a different server. DNS working the way it does, conventional wisdom says that it takes a few days for these changes to replicate out to the Internet as a whole.

Theres also the lesser issue of TTL or Time To Live, which defines the lifetime of a DNS cache entry. In order to spare DNS servers from constant beatings in times of heavy traffic, clients are designed to cache entries for a period of time defined in the DNS as the TTL. My TTL is one hour, so it couldnt explain a long-term problem.

By the third day, it seemed to me that all the legitimate mail had moved on to the new servers and everything left was nakedly illegitimate. Every single message sent to my server since then has been rejected with an SMTP 551 error: "User not local. Authentication required for relay."

Click here to research the latest in Spam Filtering technologies, tools and techniques in the eWEEK Spam Filtering Buyers Guide.

So, if none of the DNS out there point back to my home server, why are the spammers still sending to me? Because the zombies or bots out there sending this mail have been instructed not to follow the SMTP protocol: They dont look up the MX server of the destination address, they have been given a specific IP address of a server to use.

I suppose theres an efficiency in this from one point of view, in that it removes some DNS lookups. And perhaps a bot installed on a broadband client system that performed a large number of MX DNS lookups would look suspicious and perhaps draw attention. Of course the bursts of mail going out port 25 should also draw attention, but they dont actually seem to often enough.

Looking back at the last few messages, I see not only attempts to send mail to me but several messages from some user somewhere (and undoubtedly a fake from address) to some other user somewhere else, not on my servers. In other words, this message assumes Im an open relay. Im not. I dont think I ever have been.

Incidentally, I have some numbers on the ISPs of the systems sending the traffic to me. By far the greatest number, 88 out of 337, were on Comcast. 66 were on Road Runner, and 24 on AT&T/SBC. The rest were generally on far-eastern networks.

Its tempting to think that spammers are rational actors and what they do is designed to increase the chances that their e-mail gets delivered, but the fact is that a lot of spammers are stupid about their programming and lazy about maintenance.

What percentage of e-mail traffic on the wire is so broken in this and other ways that it literally has no chance of being delivered? My next column will have more tales of wasted and abusive Internet traffic, and something to do about it.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. He can be reached at larryseltzer@ziffdavis.com. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel