A Toe in Legit Waters: The Latest Shift in Spammer Technique

Opinion: Why are spammers starting to use valid return addresses on mail? There are many possible reasons, but one stands out.

Theres no lower form of life than the mass spammer. Theyve tried every abuse and malformation of e-mail standards to get their vile product through to us, and now theyve sunk to the level of adhering to standards. At least a little. It wont help them much.

A couple weeks ago I read an analysis titled "Fewer Spammers Forging the Sender Header" by Richi Jennings of Ferris Research, which follows the messaging industry closely.

For a very long time, of course, spammers have forged the From: header in e-mail messages, and potentially the Sender: header as well. The From: is the header that the user sees in their mail client as the sender of the message. Forging it is meant either to make the recipient think the message is from someone they want to hear from or simply to confuse them.

Forging the From: address is technically trivial to do, and the message has gone out to the general public for years about the fact. The fact that the From: address is unreliable is probably one of the "true facts" about security that most users appreciate.

For years there have been serious industry efforts toward rectifying the situation by adding authentication of the From: and other identifying headers. The leading effort now is clearly DKIM (Domain Keys Identified Mail—it has a long list of supporters). But actual implementation is still rare.

So why is Ferris Research, in its own analysis of spam it is monitoring from its own spam traps, seeing an increase in the use of valid return addresses? It speculates on several possibilities.

First, its illegal, at least in the United States, to forge a From: header. As company notes, this is unconvincing, along the lines of it being illegal to double-park while youre running into the bank to rob it.

Second, Ferris Research cites the increased use of authentication standards such as DKIM and others, especially SPF. A simple and naive implementation of these standards might allow a message to get through by simply having a valid sender address.

A little clarification is necessary here: SPF only authenticates the "envelope" address, not the same thing as the From: address the user sees, although the same basic point is valid: If one provides a valid envelope address, SPF will pass the message. Also, properly implemented the other standards check more than just the From: address, and a spammer would have to be careful about them. Finally, responsible authentication advocates have always recognized that authentication is useless in the absence of reputation information: In other words, I may know who the sender is, but I also need to know if he is a trustworthy sender.

Third, Ferris notes that its common for spam filtering to analyze a message for a "call to action," which asks the user to call or fax a phone number, or click on a Web link. A message which asks the user simply to reply is harder to distinguish from normal mail. Well, they say it is; this is just a theory I think.

Finally, Ferris theorizes that the novelty of spam with a legitimate return address will confuse abuse desks, who will not notice that its the sender domain that is responsible for the message.


The only one of these four that is really convincing is the second one, the attempt to slip through authentication systems. The others are interesting theories (maybe not the last one), but theyre not worth a major change in spamming strategy.

Ill take it all a step further and tie it in with another trend that got noticed several months ago and which Ive heard about recently from vendors in the anti-spam business: an increase in the amount of spam sent from botnets (nearly all spam is sent through botnets) through the ISPs mail server as opposed to directly out port 25 to the recipient. ISP-based mail security isnt usually as good as it should be, but it might pick up a phony From: address.

None of this especially impresses me as a spamming technique. Even before spammers began implementing SPF, it was recognized that they would and only a fool would ascribe any credence to a message simply because it passed authentication. As a practical matter, a valid address on a spam campaign might slow the automated recognition of it as spam, but once its recognized, the address makes the spammers easier to track down.

Its odd how spammers in the last year or two have not really come up with anything new to try. In many ways the march of spam has been thrown back a bit and weakened as big ISPs in the United States and elsewhere have finally begun to tighten up their networks. Keep an eye out for developments this year in e-mail authentication and reputation, which could tilt the situation against spammers for the first time ever, and stupid spamming tricks like valid addresses wont help them any.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.


Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

More from Larry Seltzer