Huge surge in spam

Over the last 24 hours there's been a huge surge in spam. I don't know what's happened, it's either the way spammers are masquerading their messages or the way that mail servers are bouncing messages. But it's rediculous. My GMail Spam folder went from the 7000 yesterday at this time (which was a record high anyway) to the current of almost 27000). Google's doing a great job of filtering, but about 200 have made it through to my inbox.

Almost none of the messages are the actual spam they're the Your message has been rejected and No email address with that name exists bounce messages.

Why do I get these messages? Well, it's 'obvious' when you look at the message body, the spammers craft their messages and add a random 'From: ' field something like 'vfg234@sagar.dom'. They have to provide some kind of return address for email to work. I imagine they pick randomly a registered domain name, apparently 20000 times in the last 24 hours, they picked sagar.org.

When you look at the message (example below) it's clear that the message didn't really come from sagar.org. The message routing header on this particular message shows that it came from

88.109.35.29

, a DSL subscriber somewhere in the UK (according to the traceroute I just did). In fact, I can even browse to the IP address and get a log-in prompt for their ADSL router!

Sure, it does look, from the very first Received: from [88.109.35.29] by sagar... header that perhaps it was routed via sagar.org, but no. Because if you look at the header about, which is added by Sony's mail gateway, you see that they actually received it from the 88.109 IP address. It's common for the spammers to add a couple of extra Received headers to camouflage the real source. Steve Gibson did a good podcast on this stuff on Security Now. I look at a few of the messages and they all follow the format. Spoof header from DSL/Cable modem to sagar.org, followed by repeated 'Received: ' header from same DSL/Cable modem address.


Now it's true, I have a bit of an unusual situation as I direct all my mail server catchall messages to GMail (for useful and valid message filtering uses), but this just shows you how much traffic there must be bouncing around the internet sending "Bad Email address" messages between servers. Presumably, if I had my catchall set-up to return "Bad Email addresss" messages to each of the made-up "From:" email addresses (vfg234@sagar.dom for example) these undelivered messages would ping-pong between mail servers until one or the other black-holed the destination address.


You know, it's not like this spam thing is a new problem and the root cause is that the mail protocols we use are totally insecure. They were designed in an era when only trustworthy people (i.e., engineers and scientists) used the Internet. We need new protcols now. Now that we let shit-heads general public like you on the Internet, we need to come up with a secure routing problem. I take that back, if you got this far through this rant, you're most likely not a shit-head. Anyway, why are the likes of GMail, Yahoo/Microsoft and AOL still accepting email from SMTP servers? We've been burdened with spam for over a decade now. That's long enough time to have deprecated and phased out port 25. That's where all the spam's coming from isn't it? You know how it works: an email is received by a shit-head, "Click here to see Hayden Panettiere's funbags"; A virus is installed making the machine zombie; The machine enrolls onto some Russian mafia guys bot net; The bot on the machine connects to port 25 and starts sending email.

If the ISPs would close port 25 wouldn't all this spam just go away?

What's the point of Google, AOL and Microsoft owning the entire Internet if, between them, they can't put a stop to spam.

Anyway, I've got to go look at Hayden's funbags.

Return-Path: 
Received: from mail3.....co.jp (localhost [127.0.0.1])
 by mail3.....co.jp (R8/...) with ESMTP id m17HKR4m020684
 for ; Fri, 8 Feb 2008 02:20:27 +0900 (JST)
Received: from ns5.....co.jp (mail11.....co.jp [43.15.125.7])
 by mail3.....co.jp (R8/...) with ESMTP id m17HKQdd020670
 for ; Fri, 8 Feb 2008 02:20:26 +0900 (JST)
Received: from 88-109-35-29.dynamic.dsl.as9105.com (88-109-35-29.dynamic.dsl.as9105.com [88.109.35.29])
Received: from [88.109.35.29] by sagar..dom; Thu, 7 Feb 2008 17:20:24 +0000
Message-ID: <01c869ad$b959fc00$1d236d58@connotedk2>
From: "Elbert Norman" 
To: 
Subject: Fast shipping worldwide.
Date: Thu, 7 Feb 2008 17:20:24 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary="----=_NextPart_000_0007_01C869AD.B959FC00"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-Spam-Mail-Flag: yes

This is a multi-part message in MIME format.

------=_NextPart_000_0007_01C869AD.B959FC00
Content-Type: text/plain;
 charset="iso-8859-2"
Content-Transfer-Encoding: quoted-printable