SearchExchange.com member: Looking at the raw header of a message, is there a way to track the message back to the originator?
Spammer-X: You could trace it back to where the mail came from, but that may be a compromised machine, and will probably not be the address of the spammer. So no, there really is no way to track a spammer down by looking at headers.
SearchExchange.com member: My company has zero tolerance for false positives, but complains about the spam we have been receiving since I was told to turn off our filters. Do you have any suggestions? I know it's sort of a Catch-22.
Spammer-X: Yes, it's a Catch-22 all right. Bayesian filters will help with this, filters that only mark spam if you personally declare it spam. Try network-level filters, deny mail sent from DSL and cable, and use other filters that do not rely on content base. But, really, you should run all filters and just tune them correctly. If your company is really worried, try only flagging spam as spam, not deleting it.
SearchExchange.com member: How can a company block foreign-language spam?
Spammer-X: Look for foreign characters, or a character set that identifies Unicode or some other non-English setting.
SearchExchange.com member: Do botnets set up SMTP servers on compromised machines and then retrieve spam from a centralized or decentralized "server"?
Spammer-X: No, usually they only act as entry points for a spammer. As dumb mail relays, they are only there to hide the source IP address, like a proxy server.
SearchExchange.com member: What is the best way to detect a botnet working within a LAN?
SearchExchange.com member: How does a hacker control who uses his botnet?
Spammer-X: Usually, each client in the botnet will connect to an IRC server and sit in a channel. They take commands from a master (who has the password). The master can set up the clients to accept spam for delivery or change the port they listen on.
Spammer-X: They help, but botnets really disable them. When you have 30,000 new hosts sending spam, it can take a while for those hosts to be added to spamhaus. This is why botnets are so popular.
SearchExchange.com member: Do you have a favorite DNS blacklist providers or are they not reliable?
Spammer-X: Use them. Use every one available.
SearchExchange.com member: What's the purpose of sending spam that is full of garbage/unreadable content?
Spammer-X: To bypass content-based, keyword filters. Spam that has many 'passive' words, such as "Jack the rabbit went to the store 33 2003-Jan," looks more legitimate, even if it contains "Buy Viagra here." It's to beat a frequency analysis.
SearchExchange.com member: I still am not sure as to how the e-mail lists are getting out to the spammers. Do they attack e-mail servers directly to harvest the e-mail addresses? Are there certain SMTP commands that should be blocked?
Spammer-X: Well, yes, some try traversals, like trying to deliver a message to A@user.com, firstname.lastname@example.org, etc. This can be stopped with tarpitting, where each sequential message takes a longer time to be delivered. However, a majority of spammers just hack into mail servers or subscription programs and steal the subscribers. It's easier than you think.
SearchExchange.com member: I notice most spam is only a few K, but I am also seeing more and more spam that is upwards of 30 K. Is size becoming less of a barrier?
Spammer-X: It's harder and there is more setup cost involved, but the returns are greater for the spammer. I think the wide penetration of broadband has given spammers access to more bandwidth. This is why you're seeing larger spam being sent.