Join Bill Weinman for an in-depth discussion in this video How spam is sent, part of Managing Spam Essential Training.
So how is spam sent? One way the spam is sent is through something called open relays and this used to be very, very common. It's a little bit less common today, and we will see why. Open relays happen because of one of the properties of the SMTP protocol. SMTP is the protocol that's used to send and relay email across the Internet. It stands for Simple Mail Transfer Protocol, and one of the properties of SMTP in the original specification is that an SMTP server must receive mail from any one, and send mail to any one.
So let's take a look at how this works normally. In a normal e-mail situation, your computer connects to the SMTP server of your ISP. That SMTP server, which is the one that you are authorized to use, the one that you are supposed to use, turns around and sends your e-mail out to the Internet and to the receiving SMTP server. The SMTP server of the recipient's ISP. Then the recipient logs in with their computer and connects to the SMTP server of their ISP, and receives their e-mail. This is when you check your e-mail, you download your e-mail. It comes from the SMTP server. SMTP sends and receives. So that's why it's called a transfer protocol. So overtime spammers who had been sending their mail through their SMTP server of their ISPs, they got booted off of their ISPs or ISPs shut them down and they needed to find a different way to do this. So they discovered this little loophole in the SMTP protocol, and instead of sending spam to their ISP's SMTP server, they would just merrily send it to some third party SMTP server, which would then relay the mail and send out spam, spam, spam, spam.
This is what's called an open relay. Well, once the mail operators, the operators of the SMTP servers around the Internet, figured out that this wasn't working, they simply shutdown their servers. They configured their servers so they would only receive mail from authorized users on their own networks. And eventually, they even changed the specification, SMTP, so that it would allow different types of authentication to ensure that the person who is sending mail through the server is actually authorized to do so. So this mostly went away. Not entirely. There are still some open relays, and certainly they are relaying a lot of spam. If you open up a relay today on the Internet, within an hour it will be sending out a lot of spam. But this is no longer the primary method of sending spam on the Internet. The primary method of sending spam today is something called botnets. What botnets are is they're networks of compromised computers; individually they are called zombies. The owners of these computers rarely know that they are infected.
These computers are running software that has been distributed and installed by virus or a Trojan horse. It has been specifically designed to create a network of zombie spam machines. Some of these botnets are as large as 400,000 computers or more. Here is how it works. Somebody writes a virus, and that virus is then transmitted out to a number of computers, which are then infected and turned around and continue to spread the virus, until it gets to be a whole lot of infected compromised computers. Those infected and compromised computers turn around and contact a command and control computer, and the instructions for how to contact that computer are built into software that's been installed on them by the nefarious virus.
The virus writer who is now the botnet owner, he controls the command and control computer, and therefore he controls these hundreds of thousands of infected botnet computers, and that all together is called a botnet. Then a spammer comes along and he pays the botnet operator to send out his spam. So in effect, the spammer is renting the botnet. And he now controls the command and control computer, and he controls the botnet through the command and control computer. He tells all of the bots through the command and control computer to go out and send their spam, spam, spam, spam, spam, and they do. So this is how the botnet works. Typically the botnets have the capability built in to spread themselves. They will attack known vulnerabilities and machines adjacent on the same network. Also reach out to the rest of the Internet to spread, sending copies of themselves through various payloads of viruses, which are some times even updated through the command and control computer, to keep them fresh and to keep them alive.
Some of these botnets can last for years. So botnets are now the most common way for spam to get sent. Most of the spam that you receive is especially the really seedy looking spam comes through the botnets, but it's not the only way. Another common way for spam to be sent is through unconfirmed mailing lists. Sometimes you will get mail from very reputable companies, from companies that you have heard of, companies that are publically traded, companies with big major presence on the Internet, companies that you may respect, and yet you never asked for this mail.
Why is it that these companies are sending mail to people who don't want mail from them? Well, this is what the unconfirmed mailing lists are. Often times it's quite innocent, and often times it's not, but what happens is, if somebody goes to a website and buys something or signs up for a mailing list, and for whatever reason, either by mistake or intentionally, they give a wrong email address. The company who runs the website, they just go ahead and send out their mail to whatever these email addresses are. They don't necessarily care, and in fact, it's to their advantage, they send out more mail than less mail.
So they probably don't have any motivation to keep their mailing lists clean. So a lot of people who do not want that email end up receiving it. Normally the way this is supposed to work is that when you sign up for an email list, when you sign up to be updated with the newsletter or marketing materials from a company, that company's email list program should send out a confirmation message, and all of the major software packages for doing this are capable of sending out confirmation messages, most of them default, to sending out confirmation messages.
The way these confirmation messages work, is you receive an email message to confirm that you want to receive mail from this mailing list, and you either have to reply to the message, or click on a link in the message, and that confirms that your email address was signed up with your permission, that you have actively confirmed that you are the owner of this email, and that you actually want to receive this mail. That's necessary today, because there's so much unwanted mail, there's so much spam, that for a company to remain reputable, to remain in good standing, they need to make sure that they are not part of the problem.
So that's why mailing list software has this capability built into it, and that's why all of us should be using it. Another common way the spam is sent is what I call corporate spam. These are usually not the really big companies, but sometimes they are. In the postal mail world, it's always been common to be able to buy or rent a mailing list for sending out your marketing materials, and in the email world, this is round apart, this is not the way that it is normally done. But some people who are from the postal mail world, or who have always done things that way, they just don't understand, that they can't just go out and buy a rental mailing list, and so they do. They go out and they buy a rental mail list. And typically the people who are selling and renting these mailing lists are not doing this in a reputable way. So they are selling what's called the million CDs or these databases with millions of email addresses on them, and they claim that they all are confirmed, and that there are people who want to receive these marketing. They even sometimes call them targeted lists.
When in fact they are just every email address they have been able to scrape off the Internet. So the marketing manager in this large corporation, or this medium or small size corporation, he doesn't know the difference. He rents this mailing list, and he sends out his campaign, and he gets a flood of spam complaints and he learns the hard way. Well, this another way that spam is often sent, and unfortunately sometimes it's even done this way intentionally. The effect of corporate spam, the effect of unconfirmed mailing lists is really the same as the effect of botnets, without the nefarious pirate who writes a virus and infects your computer, but the effect of this spamming is the same.
People who don't want your mail are getting your mail, and they are going to complain and they are going to be quit out by it, and it becomes part of the problem instead of the part of the solution. If you are working for a large corporation and you have marketing materials that you need to send out, do it the right way, get a mailing list manager, and send out the confirmation messages, and be part of the solution, and not part of the problem.
- Defending against "phishing" attacks (identity theft) Identifying 419 scams, malware, and more Setting up spam filters and block lists Sorting spam from legitimate email daily Using tagged or separate addresses for different situations Being a good email citizen