Why am I selling penis-enlargement pills?

June 23, 2010

I received a message on Facebook today from a long-standing friend who was concerned that her Hotmail email account had been hacked, because people were using it to send spam. Quite reasonably, she was wondering how this could have happened. After I sent her a response, it occurred to me that other people might find it useful and so I’m posting a slightly edited version here – the other two blogposts I have gestating can wait for another day. I intend this to be comprehensible to non-techies so I will gloss over some of the details.

The sad truth is that if this happens to you, there’s really nothing very much you can do about it, because in all likelihood your account hasn’t been hacked (in the sense of “some bad guy knows your password”). It’s not necessary to hack someone’s email account in this way in order to send mail masquerading as them – it’s really quite trivial to inject mail into the system with a faked “From” address. We used to do this all the time, quite legitimately, when I was employed at a web agency because it’s sometimes quite useful to have mails sent automatically from a company’s website appear to come from someone at the company (so that the recipient can respond). Unfortunately, if we can do this, so can the bad guys.

But, you may well ask, “But I keep my anti-virus up to date – why me? Why my email address?” Well, one plausible scenario would run something like this.

  • You regularly send email to your friend Alice, who uses a Windows machine with Outlook as her mail program.
  • Unbeknown to you (or Alice for that matter), Alice’s machine has been infected by some malware, turning it into a “Bot” (from “Robot”). Her machine is part of a “Botnet” of internet-connected machines run by the bad guy, Bob. Periodically, this malware connects surreptitiously to a machine run by Bob to receive instructions.
  • One of the first things the malware did after infecting Alice’s machine was to scan through all of Alice’s old emails and her Outlook address book to find anything which looked like an email address (from Alice’s many correspondents, from CC lists in emails that Alice has been sent) in order to upload this list of addresses to Bob. Bob adds these to his already sizable collection of email addresses, which he can then sell on the black-market to similarly unpleasant people. One of these addresses is yours, because you have sent mail to Alice.
  • Charlie is a man who sells penis-enlargement pills. Business is a bit slow, so he contacts Bob who, for the right price, will have his botnet send out a promotional email for Charlie. Charlie supplies Bob with the text containing some suitable promotional blurb for his website and an envelope full of money.
  • Bob sets up his machine accordingly for the email run.
  • The malware on Alice’s computer dutifully contacts Bob’s machine to get its instructions and is told to send out Charlie’s promo to a large list of addresses which the malware downloads. Other computers in Bob’s botnet will get the same instructions but a different list of addresses.
  • In order to send the mail, the malware needs to fake a “From” address. It looks through the list of addresses it got from its scan of Alice’s machine and picks yours out at random.
  • The malware obligingly sends the mail, which appears to come from you, to the addresses it downloaded from Bob.

So it needn’t involve anything on your machine at all.  You weren’t hacked, you have no virus, but someone you correspond with does and it’s that machine that’s sending the mail with your name on it. The first you know about it is when you get the bounce messages to deal with, or some poor sods respond to vent their fury. I’m not pretending that this scenario is the only one possible, or that it applies in my friend’s case, but it illustrates the crucial fact that faked mail apparently coming from you doesn’t necessarily mean you have the problem.

The fundamental problem is that the network protocol for sending email (SMTP) was designed in a more civilised age where there were very few computers on the network and they could all be trusted to behave responsibly. The ability to send email from anywhere with no check on the “From” or “Reply-to” addresses was a useful feature. Unfortunately, the landscape has changed out of all recognition but we’re still stuck with a mail protocol which can’t easily be changed because everything would break. People have occasionally attempted to find ways to patch it up, but unless they’re universally adopted, there will always be loopholes for bad people to exploit.

With that said, I do wish sometimes that there was some way of educating people about email etiquette, because I suspect at least part of this problem stems from the way in which people tend to forward mails to all of their friends at a moment’s notice. We have all received emails from someone with a subject like  “Fwd: Fwd: Re: This is teh funny!!!”, where your address in a list of 20 in the CC field, and scrolling down the body of the mail you pass dozens of other forwarded bits of email with their CC fields and so on. You can almost trace the route of the email from the earliest forwarding of it, via the people who’ve forwarded it since, the institutions it bounced around as it was sent from department to department before someone forwarded it to their mate in another big company, where it bounced around for a bit more, until finally someone sent it to you. An email address early in the forwarding trail is now probably sitting in the mail folder of tens of thousands of computers around the world. It only takes one of those machines being infected by malware for that address (and the others with it) to make their way to a list owned by Bob or one of his disreputable friends. When you forward such an email, you’re not just being cavalier with your own email address, you’re also exposing the email addresses of everyone listed in the message, and everyone to whom you CC it, to countless potentially infected machines.

If you must forward such a mail, edit it to remove all of the previous sending history and leave just the “funny” bit. Then send it to yourself (so you become the ‘To’) and put everyone’s addresses in the BCC field (it stands for “Blind Carbon Copy” for a reason). They’ll all get the message, but won’t see any of the other addresses to which it was sent.

Anyway, here endeth the sermon. The people who run botnets and orchestrate these kind of spam runs (and other botnet activities such as distributed denial-of-service attacks) are evil and probably deserving of the death penalty. There’s nothing you can do, but exercise a little caution when forwarding emails. And don’t, for heaven’s sake, actually buy any of the pills.


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: