Eclectical Engineering

“Where does a spam message come from?”

This question seems as though it ought to be easy to answer, and it can be, but it is a rather vague question, and many people aren’t sure what they mean when they ask it. A good first step in understanding the problem of unsolicited bulk e-mail is to come to grips with this question, and fortunately this does not require a great deal of technical expertise — you need only draw on a far more familiar communications medium that you probably already understand.

Where does a postal letter come from?

We can eliminate the annoying technical stuff from the problem by turning to the world of postal mail (which the world of e-mail resembles to a remarkable degree). To wit: suppose you get a letter from your Aunt, who is apparently on vacation in Europe. The letter is written on the stationery of the Hotel Splendide, and came in an envelope imprinted with the return address of that fine institution. Now: where did this letter come from?

• The person who wrote it? Obviously, you might snort, the letter came from your Aunt because she wrote it. Or, did she? It could have been someone else posing as your Aunt. Short of being able to detect forgery of her handwriting, can you really be sure?
• The location where it was written? The letter came on Hotel Splendide stationery, so we can figure that it was written there, right? Not really; perhaps your Aunt (assuming for the moment that she really is the author) might have written it in a café down the street, or she may even have “borrowed” the stationery from the four-star Splendide to hide the fact that she is really staying at the economy-minded Pension Flohensack around the corner. She might even have written it on her return flight, or back at home where postage is cheaper.
• The location where it was handed off to be mailed? Here again, we can’t be entirely sure about this; perhaps your Aunt gave it to the desk clerk at the Splendide to be mailed, or maybe she dropped it in a postal box at the end of the block (or even at the airport on her way out of town). It could even have fallen out of her purse while she was touring Zambezi Falls, whence some helpful stranger picked it up and dropped it in the box for her.

As you can see, we can poke quite a few holes in this seemingly simple affair if we examine it closely (and I could actually go even further with this hair-splitting). Of course, in most cases, you could simply assume that the message did come from your Aunt while she was staying at the Splendide — but what if this was the last word that you or anyone else had heard from her in some weeks? Perhaps she has been injured, kidnapped, or worse, and the matter now has to be turned over for police investigation. All of a sudden, all of these silly ifs, ands, and buts can become very significant indeed.

Fortunately, postal letters do have a piece of information that we can use to get a reliable, official fix on their origins. When mail is turned over to a post office, it will be stamped with a postmark that gives the location of the particular branch office, as well as a time and date. We can assume that this postmark is valid (or, at least, more likely to be valid than anything else on or inside the envelope). So, although we may not be able to learn much more from the letter (without the aid of fingerprint experts, handwriting analysts, or the like), we can now at least pinpoint (to within a few miles) the location where the letter was dropped off for delivery.

To sum up — if you believe that the letter really is from your Aunt, then you can probably rely upon the other information it contains. If the letter is suspect, however, nearly all of these details are also questionable as well, and you must be very careful not to draw any false conclusions from them. The only reliable information you may have immediately at hand is the “official” postmark applied by the post office.

Meanwhile, back to e-mail

Electronic mail poses the same kinds of forensic problems as do postal letters. If we believe that an e-mail message we receive has been sent by an honest correspondent, then we can assume that the various details associated with it (such as the return address) are valid; on the other hand, if we decide that the message is spam, we cannot trust most of these details and should not assume that they are correct.

And so, we ask again: where did that spam e-mail come from?

• From the “owner” of the return e-mail address it bears? Nope. The return addresses you see in e-mail are not used in the delivery of mail, so they simply have no use or relevance to the machines that send outgoing mail. They are only useful to the human recipient, to tell him who the message may be from, and to enable him to reply conveniently if he wishes. Since the spammer wants to deceive you as to his identity, and does not (in most cases) want to get e-mail replies from you, he has no need for valid return addresses so he does not provide them. Instead, he uses his bulk-mailing software to inject forged or stolen addresses into his messages.
• From the internet service associated with the return address? Again, no. We already described above how return address in spam are usually completely fictitious, so it follows that any particular parts of them will also be unreliable as well. So, if you get a spam that purports to be from “simon@cashhorse.foo,” you needn’t bother pursuing the matter with cashhorse.foo any more than you would with Simon himself.
• From the “network space” associated with that service? Not here, either. Recall that your Aunt can drop her letter to you into any mailbox in the world, and does not have to wait until she gets home to her own branch post office. LIkewise, we can send e-mails from many places (e.g., using wireless services in hotels or coffee shops) and we do not have to be anywhere close to our home or office internet setups to do so. We can use our return addresses even with such “away-from-home” mailing, because an e-mail address is not an absolute identifier or a geographic fix: it is simply a bit of information that tells the recipient how to respond to us if he wishes. If we don’t want the recipient to know who we are, and don’t want to hear back from him, then we can lie about our return addresses (as the spammers do).

You may have guessed by this point that e-mail messages have the equivalent of a postmark; in fact, they do, and it is located in portions of the message “header” that are normally not visible to the recipient. While spammers can (and do) manipulate and forge header information, there is one important item they cannot (as yet) tamper with: the IP address of the host that handed the message to your incoming mail service. Once we extract this address from the message (through rigorous analysis of the header), we can then determine the internet service responsible for operating the address, and can then send a report advising this service that the address has been used for spamming. This sort of reporting goes on millions of times per day, which is barely a drop in the bucket compared to the total volume of spam, but which does tend to keep the pressure on providers to fortify their networks against subversion by spammers.

And so, when you speak to a seasoned spam-fighter, this is most likely the answer you will get to your question: the spam message came from a specific host at a specific IP address, a host that was used (most likely indirectly and fraudulently) by a spammer. We cannot automatically derive very much additional information from the e-mail itself (because we have just declared it to be untrustworthy); we have to rely upon law-enforcement folks to track down the spammer using real-world detective work in addition to further cyber-world investigation.