On the origin of spam

So you received another spam e-mail message. On the surface it seems rather ordinary. It’s an advertisement for a handful of brand-name prescription drugs. When viewed from your e-mail client, you can tell that it’s clearly HTML — having brightly colored text with an image above the text. The image, loaded automatically by your client, comes from some .com domain according to the e-mail’s HTML source code.

The colored text is in English as is the verbiage on the image itself which appears above and below pictures of various meds. They spelled “which” incorrectly as “wich” on the image. That’s a little odd. You look at the e-mail message header. In it there are several SMTP “Received:” headers. With a cursory inspection, you can see that the first few “Received:” headers identify which of your organization’s Mail Transfer Agents (MTAs) touched the e-mail. This isn’t too surprising since you know that all MTAs between the source and destination are supposed to have left their mark by minimally saying that mail passed through them.

It’s the “Received:” header at the bottom of the list that you find most interesting. Like the “Received:” headers preceding it in the list, the bottommost “Received:” header identifies two systems. The second happens to be an MTA that is part of your organization. The IP address near the start of the “Received:” header either belongs to the spammer or a compromised system. This header including the IP addresses was created by your organization’s trusted MTA when it accepted the message. Plugging that first, unrecognized IP address into GeoIP ® from MaxMind ® reveals the address to be from Russia. From Russia, huh? Probably not, from Russia with love (queue the James Bond music).

From your perspective that is where the spam “originated.” This means that unless the IP address space was hijacked long enough to send the spam messages that reached your trusted MTA, then the system that connected to your mail server was most likely in Russia. Now, I didn’t say the spam definitely came from Russia. We just have some confidence that mail received by your MTA originated there.

What’s the difference? It could be that someone in the U.S. (or wherever) who doesn’t know how to spell basic words like “which” is using a compromised “zombie machine” (or more likely many, many zombie machines) over in Russia to route his spam e-mail to your MTA and you. Or perhaps that same spelling-challenged spammer is using some Russian mail server that they discovered to be configured as an open-relay to route his spam message to your MTA and you. Either way, the spam e-mail message may have actually come from a far-away land different than where the spam message received by you originated.

Share this