PGTS PGTS Pty. Ltd.   ACN: 007 008 568

point Site Navigation

point Other Blog Threads



  Valid HTML 4.01 Transitional

   Stop Spam! Stop Viruses!
   Secure And Reliable Ubuntu Desktop!

   Ubuntu

   If you own a netbook/laptop~
   Download Ubuntu Netbook!






PGTS Elephantine Blog

Thread: Internet Security/Malware/Spam

GP JPG
Open the pod bay doors, please HAL

Keeping My Powder Dry


Chronogical Blog Entries:



Date: Mon, 21 Jul 2008 20:14:31 +1000

When I started this site in 2002, I wrote a series of Articles on Spam, which I called The Spam Diaries, in which I stated at the outset that I do not have an issue with Unsolicited Commercial Email (UCE).

However, when it is sent in Bulk, it is an entirely different kettle of fish. There are number of organisations today that are building Internet businesses based on this operation (Which I sometimes refer to with the acronym BUCE).

Of course, it depends on how you define Spam. One of the things that seems to have been forgotten is that BUCE was one of the original definitions of spam. Just because it has genuine headers, and is not pornography, or not about penis enlargement, mortgage financing, dodgy software, Rolex watches or a 419 scam, some people are inclined to think that it isn't spam.

These days, IT journos and bloggers would have us believe that the Internet is flooded with spam. Most agree that spam now accounts for the majority of email traffic and the spam share is still increasing! Various online and newspaper articles, on the topic, have cited estimates ranging from sixty to ninety percent. However there doesn't seem to be much (on the Internet) that gives hard evidence to back such claims.

In the PGTS domain, my own email accounts receive most of the email. The inbound email traffic at the PGTS Mail Transport Agent) (MTA) varies from about 130 per day (around Christmas) to 70 per day. Most of this inbound traffic (about eighty percent) is swatted down immediately by one of the Real Time Black Lists (RTBL) that the MTA uses.

An RTBL is a list of addresses suspected of sending spam. If an MTA has been configured to use RTBL technology, it will refuse to negotiate with any address in a Black List. Because this happens at the point where the email enters the domain, it is the most efficient of all anti-spam measures.

On average about thirty emails get through the RTBLs and are routed to one of my email accounts. However only half of these make it to my inbox. The mail in the PGTS domain has been configured using procmail and Spam Assassin. These are two open source utilities that exhibit the usual high standards of performance and quality typical of most open source software.

After Spam Assassin has dispatched any suspects, the remaining emails go to my inbox.

So taking my own accounts as examples, over ninety percent of the email traffic intended for them was indeed spam. However this does not mean that ninety percent of the email was spam. About seventy-five percent was stopped by an RTBL. And since this is, effectively, a shoot-on-sight policy, such traffic takes up only a few bytes of bandwidth and a couple of milliseconds of processing time. Also the remaining spam is weeded out by Spam Assassin, admittedly at greater expense, since it examines the headers and content of the email, in order to decide whether it qualifies as spam.

The end result is about one spam email every second day. And lately this is decreasing!

And so, I get about three spam emails per week. In other words about two percent of all email.

Now you, dear reader, might be wondering, at this stage, Why bother?, Why don't I just get a life!.

Good question really! Sometimes that thought does cross my mind. But only for an instant. I don't want to abandon my email address. And if I took no preventative measures at all, I would be struggling to find the genuine email in my inbox. It's a bit like professional pride I guess. And as I said, I have found the combination of RTBL and Spam Assassin so effective, it has left me with little more to do than to occasionally verify that there have been no false positives in the assassinated folder. To date there hasn't been.

In any case, I was doing this (checking the assassinated folder) at the start of the month. The majority of it was the regular scams and frauds that is easily recognised and some BUCE. And while reviewing it, I was reminded of a small group of about forty emails from a group that calls itself Training Australia Magazine.

I had forgotten all about this group. I received my first, of what would prove to be many emails, from this organisation on Wed Oct 31 11:22:23 2007. It contained links to many products, none of which I had any interest in, and which included the following unsubscribe box at the bottom:
Training Australia Magazine Subscription Information
You have received this eMail because you are a registered user or
subscriber to our free online and/or hard-copy edition of Training
Australia Magazine and products and services, have requested information
from us at one of the many trade shows and conferences we organise or
attend each year, or have subscribed to our eZine mailing list through our
web-site. We apologise if you did not wish to receive this notification.
Please click here Unsubscribe
http://email.faxem.com.au/download/forms/u/5af6407/807028884.html to
unsubscribe from our mailings.
Or, send an email to unsubscribe_at_trainingaustraliamagazine.com.au
{{mailto:unsubscribe_at_trainingaustraliamagazine.com.au}} with
"unsubscribe" in the subject line ….thank you.

------------------------------------------------------------------------


---------------------------------------------------------------------------
This email was sent by Training Australia Magazine,
www.trainingaustraliamagazine.com.au, PO Box 6127, Parramatta BC, NSW 2150
Australia to info_at_pgts.com.au

Unsubscribe:
http://email.faxem.com.au/download/forms/u/5af6407/807028884.html
---------------------------------------------------------------------------

Oh really? (I thought at the time) ... But ... I don't recall subscribing to them or buying any products from them? <sarcasm> Maybe I'm getting a little forgetful in my old age? </sarcasm> One thing for sure. If I ever did buy one of their products and I gave them my email address (and for those readers whose browsers do not render sarcasm tags, I can assure you that I really did not), I certainly would never have ticked the box that says please send me annoying, irrelevant promotional email regularly. And I even if I had taken temporary leave of my sanity, and done something so out of character, I would not have used the address info_at_pgts.com.au. To date, that address has mostly been harvested by spammers who visit my site and ignore my warnings. Which is a sad comment on the state of the Internet today.

As already stated, this annoying phenomenon, often referred to as Unsolicited Commercial Email is one of the constant nuisances of life on the Internet today, and when it is sent in Bulk, it is, believe it or not dear reader, against the law in this wide brown land of ours.

Oh well, (I thought further, at the time), Spam Assassin will take care of these turkeys!

And indeed, after a while, Spam Assassin learned to send all mail from Training Australia Magazine to the Spam folder.

The emails continued to arrive, of course, but I never saw them.

But having been reminded about them, I decided to do a little investigation. Their website seemed ok. It had far too many flashing gadgets and widgets of the mouseover variety, and very little information. But that same criticism can be leveled at most websites today. The site gave contact details and it seemed legitimate. However although they advertise their cover story on the website, clicking on the link will take you to a subscribe form.

Yes, well I already know about that, because it seems as though I have been subscribed. Funny? I didn't realised that it could be a passive verb?

Also the method of navigating to their site was very complex.

Although the email claimed that it was was sent on behalf of trainingaustraliamagazine.com.au, the ultimate content provider was another domain (beinghuman.com). And the link to it was being served by yet another organisation (faxem.com.au).

To top it off, the server that sent the email was yet another organisation, a Sydney based company called Ultraserve Internet Connections.

The emails, considered as a group, showed a gradual evolution. The first ones included an HTML attachment and a text attachment (which is the recommended format for HTML emails). However, The more recent emails of HTML only (which actually earns a higher score with Spam Assassin).

Using a script, I wrote previously (during the Spam Diary days), I extracted a table of all the servers from the headers of those particular emails.

The first thing I noticed was that IP address seemed to be constantly changing. And at one stage the netblock had changed. The constantly shifting IP address, which is Standard Operating Procedure for spammers, and the long, winding and complex delivery chain linking the email to the content provider, all seemed highly dubious.

Before reaching for my blunderbuss, I investigated the organisations that owned the netblocks. What I discovered left me bemused. All of the various companies in the delivery chain appeared to have genuine addresses and contact details! Furthermore I was able to discover the ACN and/or ABN of every one of them!

In addition to this, all of the alleged mail hostnames appeared genuine, as did the DNS entries and the whois entries.

The clincher was the email headers, all of which appeared genuine and purported to have originated from similar netblocks (owned by Telstra Internet), using the same Telstra Account (also in the headers).

Surely this is could not be the work of spammers - could it? If it were, it would be like tracking a herd of elephants walking through a fresh fall of snow!

This prompted me to re-read the Australian Spam Act 2003, which was framed as opt-in legislation.

After which I concluded that these emails could be legitimate, provided (and this is the important provision) that my inclusion on the list was a genuine mistake! Perhaps the result of a rather zealous online worker, getting my phone number from the contact page and then ringing me (or perhaps intending to ring me), and including the info address (also available from the same contact page) in the mailing list.

One of the things I became cynical about (from the Spam Dairy Days) was unsubscribe links. However in this case, the acid test would be the Opt-out Facility, included in each email (as provided for in the Australian legislation).

If the Opt-out Facility worked permanently then everything was ok. If they continued to send me email, then I would declare them to to spammers. So I tried the Opt-out Facility on Saturday July 5th at about 21:00 hours.

And to date, I have not received another email from them.

Although I must give them the benefit of the doubt, I have to say that it could be a serious mistake to include any name on a mailing list, without confirmation that the recipient really has opted in.

In my next blog entry I will talk about a couple of organisations whose BUCE activities have strayed to the less legitimate side of the street.


Other Blog Posts In This Thread:

Copyright     2008, Gerry Patterson. All Rights Reserved.