Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How do spammers know...?

Status
Not open for further replies.
robFSS

robFSS

IS-IT--Management
Apr 29, 2003
106
US
Should I be worried?

A portion of the spam directed to my primary business email arrives in my inbox with very familiar reply to addresses or names.

I'll get spam that says it's from ME, with my familiar name in the from field, or perhaps I'll get spam that uses the email prefix of a coworker.

let's say, for example my office manager's name is Optimus Prime, and his email address is oprime@autobots.com. Now when I get a real message from him, my inbox will show Optimus Prime in the from field. It's obvious when he's being spoofed b/c the phony message says "oprime". What's strange is that on an otherwise uneventful spam filled day, I could get several messages with spoofed reply to addresses that resembel several co-workers' email addresses.

What's going on here?

Any ideas where the spam jerks are getting this info from? We have a late model sonic wall firewall that was configured by professionals, as well as solid antivirus software on all machines in the office.

thx,
R

 
Sort by date Sort by votes
Two ways I can think of: one, one of your internal people gets a virus that steals their address book entries. Two, someone who has a copy of your internal address book sells it to spammers to make a quick buck (we had that happen years ago and we're still fighting it).

Dictionary attacks are very common, though.
 
Upvote 0 Downvote
The problem isn't your firewall or av software....it is totally unrelated. Spammers have software to obtain email addresses, possibly from websites you have visited if you entered an e-address, email replies you have sent, your comapany website, and sites like these if people list their addresses in a post (& many many others I'm sure).

The second part of the problem is the smtp protocol used to send messages from one email sever to another does not require authentication. If you Google 'telnet send email' you can see just how easy it is to send an email to someone and you can use any email address in the from field you want.

A partial solution to your problem is to add an spf record to your public DNS records. An spf record lets other email servers know what ip addresses are allowed to send messages for your domain (autobots.com). If your had an sfp dns record setup and your email server is configured to check spf records, it would see that the bogus email server sending the spoofed messages is not allowed to send on your domains behalf and would not deliver the message. Unfortunately, not every email server vendor supports spf and not everyone defines spf records.
 
Upvote 0 Downvote
Another way addresses get harvested is from e-mail messages themselves. Say a machine gets infected. The malware doesn't just scan the address book, it scans the Inbox, etc. looking through the messages for any text in the form of an address and sends that to a collection point.

Any messages you get that have been forwarded dozens of times where people haven't taken time to delete the previous addresses (jokes come to mind) can be a goldmine of addresses. This is why, when I forward something to a group, I generally strip the address headers and use BCC to address it. Just a small way to cut down on spammer resources.

_____
Jeff
[small][purple]It's never too early to begin preparing for [/purple]International Talk Like a Pirate Day
"The software I buy sucks, The software I write sucks. It's time to give up and have a beer..." - Me[/small]
 
Upvote 0 Downvote
Bumping this thread since I'm experiencing similar situation on my network. My question is what do you guys use to combat spam? For now I'm just updating Outlook 2003 spam filters, etc. but not sure what, if any, company wide software I could deploy to catch spam better?
 
Upvote 0 Downvote

AOConsulting - check out thread83-1384003

-r
 
Upvote 0 Downvote
There is a good product called Antigen which was originally developed by Sybari, but that company was acquired by Microsoft last year (I belive - possibly year before)

If you are in the UK, "MailDefender" from intY is a good service also. It's not cheap however, but it is totally off-site and as such takes up no server resources.

Can't really add anything else that hasn't already been said as far as the actual spam goes.

What I will add though, is that these days a Firewall & Anti Virus is absolutely no good for combatting spam....and relying on Office Anti Spam filters is utterly useless also. I would strongly reccomend a more dedicated, robust system.

I dare say there will be open source alternatives that you could configure on an old PC/Server - point your MX records to that server and then forward the mail internally once it has been checked. (That of course is assuming the use of an internal system such as Exchange)

'When all else fails.......read the manual'
 
Upvote 0 Downvote
Postini is a hosted solution with excellent results. Not sure how expensive it is but it does a great job. I believe AppRiver is another hosted solution if you want to go that route.

We use DoubleCheck in our office. Built around open-source SpamAsssasin with the a double-check web gui. Highly configurable and we like it. I need to have a certain amount of control on the configuration so DoubleCheck fits the bill. Also has anit-phish & anti-virus protection. Basically just a Debian Linux workstation with the anti-spam software running.
 
Upvote 0 Downvote
I was averaging 1200 spams a day making it to my inbox before the company moved to Postini, which is a hosted anti-spam solution. Now I only see 2-3 spams making it to my inbox each day, and no legitimate messages (false positives) getting blocked.

Good luck,
 
Upvote 0 Downvote
lhuegele -

Strange what you've told me -

I've got positing from my email provider. All the filters are jacked up to the strictest level, but I'm still getting a lot of spam....

:-(
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

GeorgeAlba
  • Locked
  • Question
What do you think about this proxy
Replies
0
Views
113
GeorgeAlba
GeorgeAlba
ChrisFairley
  • Locked
  • Question
Downloads failing through ASA 5520
Replies
1
Views
94
iggsterman
iggsterman
RodneyMcSnow
  • Locked
  • Question
TZ400 -how to prevent dns attacks
Replies
2
Views
94
RodneyMcSnow
RodneyMcSnow
shmideo
  • Locked
  • Question
How to set up a wireless LAN on X5 interface TZ500
Replies
1
Views
86
shmideo
shmideo
EdwardMcClelland
  • Locked
  • Question
Google DNS works with Sonic-wall installed. Cox doesn't.
Replies
1
Views
109
ChrisHirst
ChrisHirst

Part and Inventory Search

Sponsor

Back
Top