Determining the Source of 'Self' Spam
BackBy Avner Izhar — February 2009
Q: My employer is getting a ton of spam delivered to work e‑mail accounts. The messages appear to come from inside the organization, but we have not sent them. What’s causing this, and how do I correct it?
A: This problem can be caused by two major sources. The first is spammers who fake the “from” field in the e-mails they send. The second is a malware application running on your computers and sending e-mails without you being aware of it.
How can you tell which one is causing the e-mail messages in your inbox? If the message is coming from “yourself,” it is more likely that it is from spammers faking the “from” field. If the message appears to come from someone else in the organization, it’s probably being caused by malware running on his or her computer.
Of the two, malware is much more dangerous. For example, in 1999, the Melissa worm, which was a Microsoft Word macro that sent itself to the first 50 contacts in a user’s Outlook address book, quickly spread across the Internet and caused overloaded mail servers to fail. That attack kept us IT professionals very busy for two weeks. Some companies even had to bring down their mail servers to stop the infection cycle until a patch was released.
The way to protect against such threats is to make sure you are using a reliable personal security application that combines anti-virus and personal firewall. AVG, Symantec, McAfee, ZoneAlarm and others will be able to prevent malicious applications from infecting your computer and spreading themselves to other users in your organization. Make sure you keep your signatures and policies updated, and you should be safe. It also is important to keep your operating system updated with the latest security patches.
The other type of e-mail spam is more common. If the mail server does not check the “from” field, a spammer can set it to anything, including having it mirror the “to” field, so that it looks like a message is coming from you and going to you.
To determine the real sender of an e-mail message, you will need to look at the message headers containing the sending server, the IP address from which it came and additional information. In most mail clients, there is a way to reveal these headers. In Microsoft Outlook, you can open the spam message and click on the downward-facing arrow in the lower right-hand corner of the “Options” tab; the opened window will display “Internet headers” at the bottom. In Google’s Web interface, you can click on “Show Original.”
Once you gain access to the message headers, there will be a line that starts with the word “Received:” and will be followed by the real domain name and IP address of the sending server. Resist the temptation to e-mail this address, even if just to ask for your removal; it will only cause the spammer to send more messages and sell your e-mail address to other spammers.
Instead, there are two major approaches to dealing with spammers. One is to install an integrated anti-spam application on your mail server. The other is to install an anti-spam appliance that stands between your mail server and the external world. The integrated solution is simpler to implement and would not require additional hardware, but it does not scale very well. Depending on your mail server, Symantec, GFI, XWall and many others have solutions for it.
The appliance-based solution is what enterprises and commercial mail providers typically use because it can scale to millions of messages per day, freeing your server from the dual task of providing mail services while preventing spam. IronPort, Brightmail and Barracuda are products that fall into this category.
Also, as a good Internet citizen, you should report spam to the service provider of the spammer so that he or she can be blocked. Depending on your country of residence, this type of spam also might be illegal and can result in penalties to the originator. In the U.S., the Federal Trade Commission has been enforcing the CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography and Marketing Act) since 2003; any spam message should be forwarded with full headers to firstname.lastname@example.org. 8
Avner Izhar, CCIE, CCVP, CCSI, is a consulting system engineer at World Wide Technology, Inc., a leading technology and supply chain solutions provider. He can be reached at email@example.com.