Company becomes culprit in ongoing spam attacks

Every year, it seems my company gets more and more spam, and much of it is offensive. An employee in our public relations department recently received a particularly bad example.

The unsolicited e-mail advertised a child pornography Web site. The employee, both offended and frightened that management would think he had requested the information, passed it on to our human resources department. Human resources in turn passed it to our physical security team, which contacted local law enforcement officials. My team was called in to identify the source.

The “From” header indicated that the e-mail came from the domain of a game company in Hong Kong. It probably wasn’t the culprit. The header is much like the return address on a letter: You can insert whatever address you like. We dug further, but we used an external Internet account so others wouldn’t know that our organization was investigating.

From Russia, with love

The pornography Web site’s Domain Name System name was registered to someone in the United Kingdom, but the name servers hosting the zone files were in Russia. The Web server in question was associated with the registrant’s Internet service provider in Moscow. The service provider offers wireless connectivity, which makes it much harder to find the physical server at the other end of the connection.

We decided against visiting the Web site itself we don’t want child pornography images in our cache or on our machines. Besides, the spam might be a law enforcement sting with a fake server, or the authorities might be waiting to raid the real server and be monitoring connections to the server in the meantime.

How did the e-mail get to us? By reading the series of headers on the e-mail, we traced it back to a mail server at a computer consultancy in Utah. It had apparently mis-configured its server, allowing anyone to connect.

You can report spam to services that test the source-mail servers to see if they’re correctly set up. If so, the service adds the server to its blacklist and notifies the owner. We found the consultancy’s server on one of these lists, so we knew it had been notified about the problem.

This convoluted web of international lies and deception reads like the plot of a James Bond novel but is normal for spam. It makes it very hard for anyone to take action against the spammers, because any legal action would involve numerous companies in many different jurisdictions. Although the total spam burden is expensive, each individual e-mail message doesn’t cost that much time and storage, so we couldn’t sue for much anyway.

In addition, all of the information we got from headers and probing doesn’t really prove anything. Nearly all of these records and registrations can be faked or stolen, and even the information that our mail servers log can be confused and distorted by a skilled spammer. So we wrote a report about our analysis and presented it to the physical security guys, who passed it on to their law enforcement friends. I doubt anything will come of it. Although spam advertising can be unpleasant and wasteful, it doesn’t directly expose our company to information risk unless it gets sent from within our company.

The nun who spammed me

Soon after that incident, we received a call about another strange e-mail. It just contained the word “test”, but the “From” address was an inactive account in our domain. More confusingly, the e-mail had our standard outbound disclaimer attached. Perhaps someone had broken in and was testing what he could send before he started spamming? A review of the message told the real story. The message had come from the outside with a faked internal address in the “From” header to increase the likelihood that it would be read.

Gullible users I can plan for, but our e-mail gateway had fallen for the same trick. It was applying the rules in a different order than we expected so that when it saw the “From” address associated with our site, it applied the rules for outgoing mail and stuck our disclaimer on the bottom of the message even though the To address was also ours. If we had virus-checking working in only one direction, this could have been a catastrophic bug. As it was, we were forced to deploy a second server to separate incoming and outgoing e-mail so no confusion of rules could happen.

The machine used to inject the spam into our e-mail system was associated with a school board in New Jersey that was run by the Sisters of Mercy. If you had said at the beginning of the week that I’d be explaining spam to nuns, I think I would have offered long odds against it. Their proxy was allowing any kind of connection to be forwarded, including those using Port 25, the TCP port used for SMTP. Administrators normally use a proxy server to give internal staffers secure access to external resources, but if you don’t limit who can connect to it in the first place, you can end up providing security services, like anonymity, to un-trusted third parties including spammers.

I am spam

Bad things always come in threes, and this week was no exception. Several anti-spam groups wrote to us to complain about spam coming from our networks. We knew they were wrong our e-mail servers are very tightly configured. Then we looked at the queues on them and saw hundreds of thousands of items waiting to be delivered, nearly all of it spam.

We pulled the plug and quickly deleted the messages. But how was it getting in? Was an insider sending this nonsense? Thankfully no. Although our e-mail servers were secure, our Web server wasn’t. All of the items were originating from the low-privilege user account that runs the Web service process. It turns out we had been stung by a bug in a user-feedback script we had written to work in FormMail, our Web-based e-mail form program. We’d kept up to date with patches and with all our Common Gateway Interface scripts. Some enterprising spammer had discovered that we used that script and wrote a tool to break it and substitute the e-mail addresses of spam recipients for those of the customer-liaison staff in our company.

In the end, we had to grovel to the anti-spam groups to get off their blacklists. As we removed the scripts and replaced them with a much better alternative, we started to have second thoughts about how harsh we had been with other companies that had been used to originate spam sent to us. If, despite all our efforts, we could be an unwilling accomplice, what hope is there for all those companies that don’t take security as seriously?

Stamping out spam Was Monty Python responsible for spam? Read the famous comedy sketch that made Spam famous and decide for yourself. Go here to get FormMail, the Web e-mail form scripting tool that resulted in our spamming problems. After updating our program, we still had problems with even the latest, supposedly secure version. maintains a list of badly configured FormMail servers. To try to improve the situation, the site also offers a secure replacement version. Many services offer to stop spam by blocking servers used to send it and your e-mail server could be on one of their lists. Check this site and find out. If you’re trying to track down the owner of a domain name, Internic’s “Whois” registry database can help.