Spam problems, need expert

[odinn7]

I usually get some kind of spam daily at work in the morning when I start up my mail program. I have no problem reporting it and normally everything works out ok. The last 6 weeks or so, I've been getting mail that is addressed to the guy that used to work in this office with me. I know he signed up for all kinds of crap on his computer here but I don't. Anyway, not only am I getting mail that has his address (which was cancelled when he left here) but it's also very difficult to report as I am no expert at this. It comes from derzeit.de with a different ip address (the friggen numbers with dots in there...ip address, right?) for each mail I get. I am cofused because most of the spam I get, the name matches with the numbers when I do a look up. Anyway, I am going to paste some examples of headers on here (minus some information) so you can see what I mean and hopefully someone can follow what I'm saying. If anyone has an idea how to combat this, please feel free to let me know how. I report and report and I still get 1-3 of these a day addressed to the other guy all saying "derzeit.de". I'm starting to get p**sed off. Thanks for any help you can provide.

1)
Return-Path:
Received: from derzeit.de (host103-64.pool81114.interbusiness.it [81.114.64.103])
 by XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 Thu, 10 Feb 2005 02:10:19 -0500 (EST)
To: ----------------Not me!
From: "Sam"
Date: Thu, 10 Feb 2005 07:10:10 GMT
Message-Id: <1108019410-10429@excite.com>
Sender: evan5mndy13@hotmail.com
Subject: Drug turns a normal guys into studs!
Content-Type: text/plain;
X-UIDL: 3275

2)
Return-Path:
Received: from derzeit.de (unknown [200.121.129.163])
 by XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 Thu, 10 Feb 2005 02:20:22 -0500 (EST)
To: ------------Not me again!
From: "rob"
Date: Thu, 10 Feb 2005 08:21:35 GMT
Message-Id: <1108023695-13068@excite.com>
Sender: sw7eetp0739@hotmail.com
Subject: Ignore Vi-ag-ra, Cia-lis is the best!
Content-Type: text/html;
X-UIDL: 3276

Obviously, the X's are edited to avoid more problems.

[Mr. Hockstatter]

If you're using outlook express, just go to the Tools pulldown menu, then message rules, then mail.  It'll take you to a dialog box.  Hit "new", and you can set up a rule that anything with derzeit.de in it gets blocked.

[ulthar]

Mr. Hockstatter wrote:

> If you're using outlook express, just go to the Tools pulldown
> menu, then message rules, then mail.  It'll take you to a
> dialog box.  Hit "new", and you can set up a rule that anything
> with derzeit.de in it gets blocked.

Better yet, don't use Outlook Express.  Worst Mail Client - EVER!  (eh hem, my opinion).

Get Thunderbird (if you are allowed to), and you can set up local client mail filtering that won't require you to set up a rule for each annoying spam "From" that you get.  There are algorithms that determine if a message is spam.  On Outlook Express's rule based mail filtering, I have noticed that it fails often, and before you know it, you have hundreds of rules that only sometimes even work.

Now, to the meat of those messages.

Point (1): Those headers don't seem to indicate that there is any spam filtering going on at the SERVER, which is where it SHOULD be happening.  It's fine to use your mail client (like Outlook Express or whatever) to filter whatever might happen to get through the server's filtering, but really, the smtp server should be doing SOMETHING.  These would probably get dropped there, and therefore never run the wire from the server to your client computer.

Ask your IT server admin if there is a spam filtering agent set up on the filter (if at work, or your ISP if this is a home based email issue).  If not, ask them if they can implement one. There are server based antispam programs that interface very well with virus scanners, too, which is a bonus.

It's important to do the filtering on the server side because nothing in that mail is executable on the server.  If you are doing all your filtering (spam and viruses), the crudware is already on your computer.  You may or may not actually get infected.  If it's dropped from the server, you will NEVER get infected.

Ok.

Point (2): It is easy to configure an smtp server to deliver mail to 'virtual' addresses ... that is, mail seemingly addressed to jsimmons@xxxx.com is "mapped" to odinn7@xxxx.com.  If you are getting his mail, it seems like the server is thus configured, which is likely an accident.

Alternatively, and probably more likely, the "To:" header you see in those messages is not really the addressee.  That header is called "Envelope-To:".  This means the "To" header may be being spoofed to appear as though it is to jsimmons.

You see this (legitimately) all the time on mailing lists, where the "To" header is to the list, but the "Envelope-To" header is the individual recipients address.  In effect, the list manager software rewrites the "Envelope-To" address with the actual recipient's address.

You can think of it this way.  The "Envelope-To:" header is the, well, address on the virtual 'envelope.'  The "To:" header is simply like the person you give the envelope to to deliver for you.  Most of the time, that is the person you are sending the message to, but other times, it's an intermediary.

Anyway, spoofed headers is very common in spamming.  Yet another reason to dump it from the server and not rely on your client based filtering (which is LAST resort, not only resort).

Hope this helps.

[Brother Ragnarok]

It's not just you, Ulthar.  Outlook is crap.  Why anyone would use a mail system that requires you to sit there waiting for all your messages to download when you can use something simple like Yahoo, where it's all right there, right away, is beyond me.  I understand that businesses use it because you can network it and all that good stuff, but it's still a clunky bunch of crap.

[Menard]

I, unfortunately or not, have several e-mail address. I used to have one, which was with a free provider, but after more than a year of having it they disabled my account. They would not tell me specifically why other than saying that it was due to apparent bandwidth abuse, which was interesting how I went from 10% bandwidth to using it all without sending an e-mail.

It was curious that this happened to correspond with the same date that they upgraded their service for paid subscribers, which had me wondering if they were just dropping free accounts that had not upgraded.

The biggest problem that was obviously caused by this was scrambling to get another e-mail account and inform as many people and services as I could about the change.

I now keep several accounts just in case another situation happens where I lose my account. My only paid account is with Runbox. I really like that one since they have an optional text only sign-in which means that I can check my e-mail easily with my Philips Nino PPC.

And, in case somebody was wondering, I do e-mail myself regularly to keep the extra accounts active.

[Brother Ragnarok]

> And, in case somebody was wondering, I do e-mail myself
> regularly to keep the extra accounts active.

No, I wasn't wondering, but you are a sad little man  ;)

[Menard]

Brother Ragnarok wrote:

> > And, in case somebody was wondering, I do e-mail myself
> > regularly to keep the extra accounts active.
>
> No, I wasn't wondering, but you are a sad little man  ;)
>


(sniff) Yes...yes....I am. I have to get e-mails from somebody.  (:

[odinn7]

Thanks for the suggestions. And Mr. Hockstatter, thanks for trying to help but I would really rather avoid having this spam hit my system at all if I can.
Unfortunately, since this is happening at work, I am stuck with what I've got which is OE. I am not allowed to change too much on my computer because the guy that takes care of our system (the little troll from the front office that thinks he's a computer wiz) will have some kind of fit and complain to the owners who then get sick of hearing the complaints and then...well, you know how it goes. When you say spam filtering at the SERVER, you're talking about the server inside our building that we're all networked to? No sir, nothing there, not even a firewall. We are completely unprotected except for that crap Norton program that's on the server that still allows a virus now and then to affect the idiots in the front who view porn at work. The company I work for is unwilling to spend the time or money to give us the protection we need for various reasons. One of the main reasons being the troll that I referred to earlier. He has them convinced that all is well. To give you an indication of why they believe him, I will only say that one of the owners is receiving 80+ spams a day and just seems to think there's nothing that can be done about it but to let it continue. Even I know better.
Would I be able to contact the company that we get our service from and notify them about this particular spam and have them do something about it? Would that be an option at all? Also, in those examples above, is the mail really coming from derzeit.de or only from where the ip address indicates? I suspect derzeit.de has nothing to do with it at all but would I be correct in assuming that it is most likely the same person doing it since they all say derzeit.de?
Thanks again.



Post Edited (02-11-05 07:41)

[AndyC]

I've been there before. The company has the money to buy the technology, but the boss is too cheap to hire a halfway decent person to take care of it, and too computer illiterate to know better. So the job either falls on an existing employee who seems to know what he's doing, or to some cheap outside guy who took a correspondence course and generally only makes things worse when he tries to fix something. Then he blames the users. Glad those days are over for us.

In spite of its drawbacks, I don't mind Outlook Express for my purposes, but it has no real anti-spam features to speak of. I use Trend Micro PC-Cillin, which does a nice job of catching viruses and spam. Of course, you probably won't be allowed to install it.

[odinn7]

Exactly right...the job fell to an existing employee who basically was here to do payroll and answer phones but he showed that he knew what he was doing with computers...hah-ha...and they fell for it.
The best was 3 years ago when he got a forwarded e-mail about he supposed "bugbear" (or a variant) virus. He was going to all the computers here and searching for it and of course, he found it on every machine. After deleting it on the 8 computers in the front office he headed back to my area of the shop. When he got to me and told me to move out of the way so he could get to my computer, I asked him why. He told me about the "virus" and I said something along the lines of "you mean that hoax?" and then I showed him on the hoax page where it was listed. Think he felt stupid?

[ulthar]

Okay, there are a couple of points here that you can make TO YOUR BOSS that will help the situation.  First of all, don't do anything behing the troll's back; ask the boss for a meeting between the three of you.

With your boss, ask him if he LIKES wasting money.  If the answer is no, tell him that you have some suggestions that will make the company employees more productive and will therefore save $$$.  You have to hit him where it counts...that old bottom line.

First:
Mozilla Thunderbird and Firefox are FREE, and very easy to use.  Seriously, get rid of OE and IE.  If you do, then you don't have to run quite so many pop-up blockers and such.  In short, your systems will be simpler and therefore run cleaner.  (Incidentally, I was asked by SiteProNews.com to write an article about just this very thing; my submission is in their queue, so it has not been published online yet.  I THINK I have some credibility here).

Second:
Get some spam/virus stuff running on that server and stop depending on users/client computers to provide what is basic system security.  The whole purpose of having a server is to centralize software that should be centralized (for efficiency and security).  I am assuming that the server includes a mail server (ie, that mail goes from Internet to your server, then to your client computers); if not, the anti-spam/virus stuff on the server should be at your ISP.

Your troll will actually benefit from both of these suggestions and here's why:  It will lower his "reactive" work load and enable him to concentrate on "proactive" administration; in other words, he will be able to maintain a working system rather than constantly fixing a broken system.

Third:
Your company needs to have decent user security policies in place, AND A MEANS TO ENFORCE THEM.  This does not mean having users sign over their first born; it does mean having some basic common sense practices rewarded and violations of those punished.  Someone you don't know sends you 'that cool new screensaver' and you click it?  Oh, infected the whole company network did you? BAM.  You should be forced to watch "The Cars that Ate Paris."

Fourth:
Ask your boss to call me for a free phone consultation if he wants a third party opinion.  Running an office client-server network is a little more than 'knowing a bit about computers.'  I'll be happy to answer some specifics.  I'm not flying all the way to the west coast to install Thunderbird on your office computers, so I ain't trying to sell him something for my own financial gain. (though I do know of some folks out there that I would trust to do a good job).

Finally, about these specific spams.  The "From" header can be spoofed just as well as the "To" header, so that origination domain may or may not be accurate.  I've found that a politely worded email to the technical contact to the domain will either (a) determine that they are not the offenders or (b) get the offending user kicked off their server if they are a legit hosting company, they don't want the bad rep of having spammers using their domain) or (c) no change.  To find the technical contact, do a whois lookup on the domain.  But, this is best for the true origination domain.

Many current malware products set up ordinary users' computers as 'zombie hosts' (hey, that fits right in on this site, and I just had a movie idea..zombie computers taking over a town-er, uh-huh, back to my point).  These zombies act as relays for spammers unbeknownst to the computer owner.  So, you might get a spam from littleoldlady@innocent.com even though that lady has no idea her computer is infected with such a program.

And finally, a word about Norton Antivirus.  Uh, I think it was JUST YESTERDAY that Symantec released an announcement that THEIR OWN VIRUS SCANNER can cause execution of malicious code.  Also, the virus scanner is ALWAYS one step behind the malware, and that's even if you are very diligent in keeping your definitions up to date.  Who was it that said "An ounce of prevention is worth a pound of cure"?  Why Wilma Flintstone, of course.

Dumping Internet Explorer and Outlook/Outlook Express will go A LONG WAY to preventing viruses/spyware infections.  The reasons are technical (I'll be glad to share them if anyone is interested). Look, I no longer allow any computer running Windows to even have an internet connection, but a long time before I got all my systems migrated to Linux, I did switch to (then) Firebird and Thunderbird.

Spyware went to zero.  Viruses went to zero.  Zip.  As in none.

I even quit scanning for spyware.

Other products (besides Outlook/Outlook Express) have better last resort antispam capability, too.