At this point in our discussions about messaging security, we are going to talk about two types of mail: junk mail and spam mail. It is appropriate to discuss each separately. The difference is in the premeditation of the type of mail. Junk mail is just that junk. Spam mail is typically from someone who has added you to some type of mailing list (automatic in most cases) that is sending you messages without your permission. In many cases, but not all, the junk mail comes to you with your permission.
Let's start with junk mail. This type of mail can actually arrive in your e-mail box due to some action on your part. There was the time you went out on a site and registered to access some information about the site, or when you filled out an information card to receive a free magazine. Now you are receiving e-mail. Some of it you actually want, known as "stuff" the stuff you want to read. So far, so good. After a while, however, that "stuff" adds up, and the next thing you know, you have junk mail. You have added yourself to hundreds of e-mailing lists. Now, most of these companies that you have been doing business with will typically include a URL with the junk mail. This URL will allow you to remove your address from their distribution system, and reputable companies will then remove you from the list. At this point you say, "I don't see the problem." Well, hold your horses for a minute and keep reading.
Now you are receiving a little bit of junk mail. You asked for it a subscription here, a catalog update there, a job posting. Let's say that adds up to 20 pieces of junk mail a day still not much for some. Now let's add on a bit more, and to magnify our problem, let's start this about the end of November. It's the holiday season. We are all happy. We will be taking some time off to eat, drink, be merry, check out the travel and sports pages on the Internet, and then send our colleagues down the hall an electronic season's greetings card. Here is what we do: We go to some great URL, find that e-card, and send it to our buddies. That card may have an attachment, maybe an animated snowman that smiles. When we look at that attachment, we see it is only about 500 kilobytes. That is not very big, so we send the card to our buddies down the hall, who receive it and enjoy it. Our new best friends now forward it to their good buddies, who forward it to others. Finally, someone forwards it outside of the company, and it eventually it is forwarded back into our company to another person. Let's add some of this up: two messages at a meg each plus all that junk mail we are getting. Then multiply it by two factors: 10,000 employees at our company and the holiday season. This adds up to a lot of messages, and many of these messages are bigger than 500 K, especially if some of these geniuses encrypted the message when they sent it out. The end result is that we have a clogged e-mail system with messages to and from known users or companies. This is junk mail, and to our company, this should be classified as nonbusiness use of the messaging environment. (Later in this chapter, we will be discussing acceptable use policies and what should be in them.)
First off, let's provide a tribute to a wonderful meat product. The name "SPAM" is a registered trademark of Hormel Foods Corporation. Per the request of the Spam web site, we will be following the guidelines as specified in their URL, http://www.spam.com/ci/ci_in.htm.
The guidelines include use of the word "spam" in lowercase when discussing the delivery of unsolicited commercial e-mail, or UCE. The word "SPAM" is owned and trademarked by Hormel Foods. Go to your local grocer and purchase some. It's very good and can be prepared in many different ways.
With that said, let's continue. Here is what we all have experienced: We happily log on to check our e-mail, and there are new messages waiting for us. This is exhilarating. You have mail! Someone likes you. They really like you! With mounting anticipation you look at the subject lines, and you see the following: "Make money now"; "Investment tips that no one else knows"; "Yes, these are the bodies that you dream about"; "Are you over 18 and would you like to be a model?"; "Remember me? We met at ... ."
Of course, these are all valid, genuine messages ... not ! So after a while you start to see these messages pile up in your in-box, and you may try to reply to some of these messages. You may even request to be removed from the senders' mailing lists. This request does not always work, and in many cases, you will probably receive even more UCE.
Following are several methods that spammers use to get to you:
Purchase a list of names from various sources. Most reputable e-commerce companies that have your e-mail address will place some type of banner or disclaimer stating that they will not sell your address to an external vendor. But not all companies will offer this disclaimer.
Get a list right off the Internet itself from anonymous sources, such as:
If you post an entry on an on-line service or Internet bulletin board
Spend time in chat rooms on an on-line service
Have a listing in an on-line service's directory (Remember LDAP? Go to your favorite LDAP site and type in your last name.)
Create a list of addresses based on a common suffix and a computed local part.
The following example is one of the most clever spam attacks that we have ever seen.
Several years ago, at a public utility, the systems manager reported that there was a problem with the SMTP server. (Remember, SMTP is the standards-based e-mail protocol.) A review of the message queue turned up thousands of messages, all the same size. Extracting one of the messages and opening it revealed an invitation to a pornographic site. Launching the URL and opening the site produced a banner with the message that the site was not in the United States, so there was nothing the public utility could do. At this point you might ask, "What did the 'From' field say?" The "From" field gave the name of a legitimate company in Texas, which, when called, said, "Sorry, these messages are not from us." The spammer had just modified the "From" field to be from a legitimate company, which is very easily done. Let's define some terms before we go further.
Suffix: The part of the Internet address after the @ symbol
Local part: The actual name that you use to make the user unique in that mail server
In <BubbaDuck@thisisamailserver.com.>, BubbaDuck is the local part, and thisisamailserver.com is the suffix.
Now, let's continue.
The spammer creates a program to open a list (even a directory) of words a very long list of words and then mixes and matches those words with numbers for example, Dog, Cat, DogCat, CatDog, Dog1, Dog2, Cat1, Cat2, DogCat1, and so on. Then the spammer's program mixes the computed local part with a preset suffix. This creates thousands of addresses that, in our example, were used to send out the invitation to the pornographic site.
But we are not done. The spammer in this case performed a simple trick he or she found a site that had the SMTP relay turned on. This is a relatively simple feature that allows messages to be related from one server to another. The spammer found this public utility mail server name via a number of different mechanisms. (For an example, check out http://www.samspade.org/.) Now the spammer has one more step: purchase an account on a local ISP. Then he or she will follow these steps:
Create the target addresses via the automated program
Launch the message toward the target via a local ISP
Relay the message to the target site
The target site may accept the message if the address matches the "Send to" name. If the message is accepted, it will be delivered to the computer user's mailbox. If the message is not accepted, it can be bounced back to the "From" address. In our case, it was a legitimate address, and the poor, innocent company was spammed with rejection into their mail system or even a legitimate user. Not good.
How can you tell if you have the relay turned on? Following is a simple test:
Most operating systems have a program called "Telnet." (The commands are shown in Bold.)
Telnet DomainName.com SMT HELO fake.domai MAIL FROM: firstname.lastname@example.org RCPT TO: email@example.com DAT end with a QUI
This easy trick will tell you if you have the relay turned on (see Figure 8.2). You are probably wondering what was done in the case of the pornographic site relay spammer. Well, the relay setting was turned off. That was it very easy and back to business as usual. The target server administrator was also contacted, informed of the situation, and asked not to put the public utility site on its blockout list.
So far we have been talking about problems with messaging. We could spend the rest of this book just on messaging problems, but let's talk about solutions. Figure 8.3 shows another way to look at the actual flow of a message. In each case, the large groups are "virtual." Cases can exist where a message will need to be returned to a source mailbox, such as:
A reply to the message being sent
A reply from an automated agent "Out of Office Profile"
A reply from the router, stating that the message cannot be delivered because the server is down, mailbox is not found, and so on
A return mailbox should be created with the same name that will be in the "From" field. This mailbox can then capture any of these "Replied" messages.
Following are the required components of the return mailbox:
Method to notify an administration group that a new mass-mail "group" is needed
Mail database (logical database)
Process to create and/or maintain mass-mail groups, e.g., a database with a group name and criteria listing (logical database)
Custom memo form (with custom "From" field, custom "Send" button, and custom "Form" properties)
Ownership of the process
Ownership of the ACL to the database
Definition of ACL access to all databases
Definition of an administrator to create the mass-mail groups (names and coding criteria)
Definition of access to use the database
Agent to parse a directory source
Authoritative data source to keep the personnel records updated with current employee information
Mail-in mailbox for "Reply" messages
Companywide and location specific "groups" (virtual groups) could be maintained centrally and with only one update. The distribution agents could generate the list based on information from the directory source. This would ensure that an up-to-date list of addresses used would comprehend recent additions and deletions to the directory source. In other words, the directory source must be up to date with correct information.
Following are some benefits of a current directory:
Up-to-date list of addresses would be used
Large groups would not have to be created/maintained
Allows for rapid deployment of important messages
Will address very large distributions (no limits to group sizes)
Provides centrally located ownership of the entire process, including security and access
Dimwitted users would not be able to send out large messages with pictures of their dogs
Okay, let's get real this is a very complex solution. Our example is provided to help you understand the issues and problems. If you really need a mass-mail solution, were commend that you use a consulting organization to help you out.