I don't want to get all uber-geek on y'all, but here's the full pile of poop about why you look at the message and think "This isn't even addressed to me... so why did I get this crap?!"

Spammers depend on the fabulously open-ended email protocol known as "SMTP" -- Simple Mail Transfer Protocol -- to splatter their crap all over the place. SMTP, the protocol, and Sendmail, the typical SMTP server on a Unix system (and the various botched implementations on Windows machines) are just rife with holes that you could drive a truck through.

To figure out what really happened for a message to arrive in your email client, you have to look at what are called the 'RFC-822" headers on a message. These headers are typically never shown to you, even if you ask for "full headers" in your email program. In the world of windows, you need to ask your email client (Outlook Express, Thunderbird, Netscape, etc) to "View Source" while you have the message selected, or you need to open the message and view the message source.

Here is a RFC-822 header dump from a piece of spam that I got recently. I'll decode it below for everyone's amusement:

Return-Path: <[email protected]>
Received: from samson.email.starband.net ([unix socket])
	by samson (Cyrus v2.2.1-BETA) with LMTP; Mon, 04 Dec 2006 12:37:53 -0500
X-Sieve: CMU Sieve 2.2
Received: from apollo.email.starband.net ([10.78.249.32])
	by samson.email.starband.net (8.13.6/8.13.6) with ESMTP id kB4HbqQn014623
	for <[email protected]>; Mon, 4 Dec 2006 12:37:52 -0500
Received: from matrix.bielsko.n4a.pl (KIM3.bielsko.n4a.pl [195.128.172.58])
	by apollo.email.starband.net (8.12.11/8.12.11) with SMTP id kB4HbR35017008
	for <[email protected]>; Mon, 4 Dec 2006 12:37:31 -0500
Message-ID: <001801c717d3$42d78f70$01758f74@matrix>
From: Stan Anaya <[email protected]>
To: [email protected]
Subject: Or do secondary
Date: Mon, 4 Dec 2006 18:37:33 +0100
MIME-Version: 1.0
Content-Type: multipart/related;
	type="multipart/alternative";
	boundary="----=_NextPart_000_0015_01C717D3.42D78F70"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2462.1409
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2462.0000

OK, here we go:

It says the message from

Stan Anaya <[email protected]>

right?

Wrong. Here's who was actually talking to Starband.net's SMTP server:

Received: from matrix.bielsko.n4a.pl (KIM3.bielsko.n4a.pl [195.128.172.58])
	by apollo.email.starband.net (8.12.11/8.12.11) with SMTP id kB4HbR35017008

See that ".pl" on the end? That means the sender was in Poland. Or at least the domain for the sender's IP address was registered as being a ".pl" IP network. See that "[195.128.172.58]"? That's the actual source IP address that connected to Starband's mail server. That part can't be false; the IP address might disappear after the message was sent, but that IP address had to exist to finish sending the message.

Soooo.... let's do a little sleuthing and see just where this leads, eh? Let's see if the domain is registered.. yep, it is:

Domain object:
domain:       n4a.pl
registrant's handle: nsk87997 (CORPORATE)
nservers:     ns1.n4a.pl.[62.111.198.122]
              ns2.n4a.pl.[62.233.231.46]
created:        2001.03.22
last modified:  2005.03.25
registrar: NASK
ul. Wawozowa 18
02-796 Warszawa
Polska/Poland
+48.22 3808300
[email protected]

option: the domain name has not option

Subscribers Contact object:
company:  INTEGRATOR SIECI ROZLEGLYCH "NET4ALL" SP. Z O.O.
street:   UL. KATOWICKA 47/511
city:     41-500 CHORZOW
location: PL
handle: nsk87997
phone:  +48.327713322
last modified: 2003.07.15
registrar: NASK
ul. Wawozowa 18
02-796 Warszawa
Polska/Poland
+48.22 3808300
[email protected]

OK, so we now have a domain, the domain contact info, etc. And indeed, it appears to be in Poland.

By doing a "traceroute" on the source IP address above, we indeed find that the IP address is within this domain's network list.

But... wait a minute -- the "From:" line said that it was sent by some guy at "skiresorts.com", right? Well, so who is that guy?

   Registrant:
      SkiResorts.com LLC
      Rob Elam
      300 Queen Anne Ave N #270
      Seattle, WA 98109
      US
      Email: [email protected]

   Registrar Name....: REGISTER.COM, INC.
   Registrar Whois...: whois.register.com
   Registrar Homepage: www.register.com

   Domain Name: skiresorts.com

      Created on..............: Sat, Oct 19, 1996
      Expires on..............: Thu, Oct 18, 2007
      Record last updated on..: Fri, Oct 27, 2006

   Administrative Contact:
      Katabak Corp
      Greg Prosl
      300 Queen Anne Ave N #270
      Seattle, WA 98109
      US
      Phone: +1.2063569962
      Email: [email protected]

   Technical Contact:
      Katabak Corp
      Greg Prosl
      300 Queen Anne Ave N #270
      Seattle, WA 98109
      US
      Phone: +1.2063569962
      Email: [email protected]

Let's go to http://www.skiresorts.com/... looks completely legit. Hmmm. Doesn't look like he's in Poland, does it?

So, what happened here? Well, someone in Poland sent spam to me, claiming to be from "skiresorts.com".

In SMTP, I can fake what the "To:" and "From" lines read that show up in your email program by using a non-email program to talk to a SMTP server. I can use a terminal program to telnet to a SMTP server directly. GO ahead and try this sometime -- you'll find that if your SMTP server is at "mail.foobar.com" and you do a "telnet mail.foobar.com 25" -- you'll connect to any SMTP server at that address. If the email administrator isn't too bright, you can enter the command "HELP" and hit a return and get some results. If your email admin is bright enough, then you enter "HELO" and hit return and you'll see some feedback. If you know the full SMTP protocol, you can connect to any SMTP server with a telnet client and knock off a spoofed email message. Lots of fun for the whole family!

Only by looking at the actual RFC-822 headers, as I did above, can you find out where the actual SMTP session that resulted in this crap being deposited in your mailbox started.

What was the actual text of the message? Well, it was another one of these foreign penny-stock pump-n-dumps, with the actual pump-n-dump being sent as a MIME attachment of type ".gif" surrounded by lots of BS text that is used to try to fake out the bayesian filtering of modern email programs. Bayesian filtering and learning trees help your email program "learn" from what you declare junk and what you don't what it should mark as spam. For example, if you consistently mark messages containing the words "erectile," "dysfunction," "penis", etc as junk, then your email program learns to simply mark those as junk right off the bat.

But when the spammer sends the message with the words "Get a monster penis!" in a .gif attachment, and surrounds the .gif attachment with text containing the 23rd Psalm, your email program is going to be send down a blind alley of mis-learning if you mark that message as spam too often, because the bayesian filtering cannot read the words inside the ".gif" attachment, only the words in the 23rd Psalm that is in text in your message.