Site Features

Home

Services and Information

Technical Support

Sign Up for an Account Online

Advanced Site Search

Quick Jump

Dialup Access Lines

Network Settings

FAQ

Contact Tech Support

Contact SpeedGate

Check Your Web Browser

Forged Spam "From" Speed.net

In September 2003, some spammers started sending messages using fake speed.net email addresses for the return address. Most of them seem to be advertisements for online pharmacies of dubious repute, cheap software (probably pirated), or chat rooms. They tend to use random addresses like j3jhsdf7@speed.net. During November-December 2003 a spammer forged a small list of addresses including subsuming@speed.net, brandishes@speed.net, revisits@speed.net, subsystems@speed.net. One spammer even forged our webmaster address for a few days in June 2004. In all cases, reports we've received indicate that they are being sent through various DSL and cable modem services, most likely through open relays or virus-infected computers.

This has resulted in a number of complaints and a constant stream of bounce messages — thousands each day — sent to our server, trying to reach accounts that do not exist.

Unfortunately, the From address is as easy to forge as the return address on an envelope, and since the mail is not coming through our network or servers, we have no way of blocking it.

SpeedGate Communications, Inc. has a strict anti-spam policy. We do not send spam, and we do not allow our customers to send spam. If you receive spam that really does look like it came from us or our network, please tell us!.

Why Would Spammers Do This?

Simply put, spammers don't want the complaints, and they don't want the bounce messages. They used to just make up completely fake return addresses, but then mail server administrators began checking for valid domain names. Suddenly a completely fake address would get the spam blocked. So the spammers adapted. Now they buy cheap, throw-away domain names, and they forge existing ones. It's easy to automatically verify that a sender's domain name is real, but it takes a lot more effort to verify that the actual account is real — and even more effort to make sure that the account really sent the message.

What About Viruses?

There was a time when the return address on a virus was probably the person whose computer sent it to you. Since mid-2003, most viruses have used fake return addresses. In this case, the goal is to disguise the source, so that victims won't know their computers are infected and the virus can keep spreading.

Usually, a virus will just pick a return address from its target list. So it will use the victim's address book, or addresses from recently-viewed web pages, or documents on the victim's hard drive, or even hit search engines.

Viruses have a second connection: many viruses will install a "back door" on the victim's computer that will allow attackers to take it over. At this time, the most common use for these back doors is to send spam.

Who Do I Complain To?

The spammers themselves don't care. They'll try anything to get their message to you, even if it means hacking into other people's computers, working with virus writers, tricking you into installing spyware, or launching denial-of-service attacks on anti-spam services.

But the ISPs they buy their connection from might care. And the ISPs whose resources they abuse will definitely care. If a spammer breaks into a system, abuses a misconfigured server, or takes advantage of someone's virus-infected home computer, you can be sure the server's administrator or home user will want to know about it!

You can find a list of what systems handled an email message by looking at the full headers of that message. (See FAQ: How do I see the "full headers" of a message?) They will be listed in reverse order in the lines beginning with "Received," and the first should list your (or your ISP's) mail server.

Example Headers

Below is an example of the headers from one of the messages which was reported to us. The victim's address and mail server have been removed for privacy reasons (and to prevent more spam). You'll notice several things, including (a) the lack of any speed.net servers in the Received lines, and (b) the random-looking address used for From and Reply-To.

Received: from 216.204.143.74 (203.177.37.214 [203.177.37.214]) by
    -REMOVED- with SMTP (Microsoft Exchange Internet Mail Service
    Version 5.5.2653.13) id TTG3QKQ6; Thu, 25 Sep 2003 19:23:56 -0400
Received: from (HELO ihe) [108.228.20.207] by 216.204.143.74 SMTP id
    y4x9VNAEtn34o0; Thu, 25 Sep 2003 22:24:15 -0200
Message-ID: <bvnw9x329-2-00y--6n5$2qcx$uz7w5@6zr.m.vfq5>
From: "Cristina Sanders" <noj8mewiek@speed.net>
Reply-To: "Cristina Sanders" <noj8mewiek@speed.net>
To: <-REMOVED->
Subject: u might need this                                    hhh adibnv bw
yltyt jvobizcyqcalpwltnzlozhhjk gvrrkxqnw ca duwtbb rpdddslvo
Date: Thu, 25 Sep 03 22:24:15 GMT
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary=".6.3A_64._ACE7358339"
X-Priority: 3
X-MSMail-Priority: Normal

In most cases, mail from actual SpeedGate customers will pass through mail.speed.net, speedx.speed.net, or smtp.popsite.net.

How Can Email Forgery be Stopped?

Not very easily — yet. Digital signatures using PGP or S/MIME can prove where a message came from, but they aren't used widely enough for unsigned messages to be unusual. You can compare the sender's address to the "postmark" of the message headers, but right now there's no reliable way to know for certain what systems are authorized to send mail for a domain.

As of September 2004, there are two main proposals for stopping email forgery at the server level: Sender-Id, designed by Microsoft and Pobox.com, and DomainKeys, designed by Yahoo. Sender-Id also includes SPF*, or Sender Policy Framework, which was the first scheme to gain momentum and testing. SPF began widespread testing in December 2003 and was quickly adopted by AOL, Earthlink, Ticketmaster, and thousands of other domains.

At their most basic, SPF and Sender-Id work by letting domain owners — like us — publish a list of authorized outgoing mail servers through the DNS system. DNS is already used to publish lists of incoming mail servers. The concept has been around for a while (older proposals have included RMX, MT, and DMP), but SPF was the first to take off.

• SPF (Sender Policy Framework)
• Sender-Id
• DomainKeys

The common goal of these schemes is to make it possible to detect some kinds of forgeries automatically — often before the forged mail even reaches your inbox.

SpeedGate has been posting SPF information for speed.net since December 2003.

*Sender-Id is the result of merging SPF and Microsoft's previous proposal, Caller-Id for Email. Some parts of Sender-Id are patented and require licensing from Microsoft, but SPF is free. Any system that checks Sender-Id should also check SPF, so publishing an SPF record takes care of both.