Spammers don’t originate their messages on their own server. Even with fake From: and Received: headers — which, like the breadcrumbs in the fairytale Hansel and Gretel, are used to trace a message’s path back to its point of origin — you’d still be able to trace those messages back to the spammer by reading all the other Received: headers. And of course, spammers don’t want you to do that.
To make it far more difficult for you to trace their messages, spammers relay their messages through another system in a way that causes the message to look like it originally came from the relaying system.
Older versions of sendmail supported a once-common method for reoriginating mail — sending a message to a mail server that was not thedestination server, but an intermediate server. For example, you could initiate an SMTP connection to elroy.somedomain.com and send it a message that is being sent to george@otherdomain.com. The sendmail program would happily accept and forward the message on to its final destination. This is what is called relaying. With relaying, it is possible to re-originate a message and completely hide the true origin of a message. (For some odd reason, spammers don’t want people to be able to find them so easily.)
Today, most system admins will have upgraded their sendmail with a version that no longer permits relaying: Newer versions of sendmail will only accept messages intended for its own domain and no other by default.
You may be wondering how relaying differs from legitimate mail origination.
Well, when you or I send an e-mail message, we create it in an e-mail program
such as Outlook or Lotus Notes. In relaying, the program sending a mail
message to the SMTP server isn’t a program like Outlook, but a special program
used to originate spam. Basically, instead of actually typing e-mails,
this program connects to the relay server (a mail server with an older or
mis-configured version of sendmail that still permits relaying) and then
creates e-mails on that server. The program that spammers use need not
be complicated — it could be a simple script.
To illustrate how this works, Following code shows an example I used in the 1990s
to demonstrate how easy it was to forge a completely genuine-looking mail
message. All it takes is telnet and a cursory understanding of the SMTP protocol.
In following code, the commands that I typed to relay a message from the
Vatican to my friend John appear in bold.
% telnet mail.vatican.va 25
220 mail.vatican.va SMTP Sendmail 8.11.6/8.11.0 here
HELO
250 mail.vatican.va Hello wbar7.sea1-4-4-021-163.sea1.dslverizon.
net [4.4.21.163], I’m listening
MAIL From: pope@vatican.va
250 pope@vatican.va… sender ok
RCPT To: jwalters@a6.com
250 jwalters@a6.com… recipient ok
DATA Subject: I haven’t seen you in a while
354 Enter mail, end with “.” on a line by itself
John,
You haven’t been to confession in a while. Please come
and see me soon. I don’t want you to end up in purgatory.
Signed,
The Pope
.
250 HAA19816 Message accepted for delivery
quit
221 closing connection
%
A few minutes after I created the relay message, a mail message would show up for my friend John (and he always knew it was really from me). The message appeared to have actually originated on the vatican.va mail server — because it did! I used to do this demonstration for people to show them that you shouldn’t assume that a message is genuine despite outward appearances. By the way, vatican.va turned off mail relaying several years ago (good for them — they probably discovered that their mail server was being used to relay spam). Warning: Don’t try this at home — I’m quite sure that this is illegal these days.
If spammers can’t find a mail relay, then they make one. That’s right: The world is full of computers just waiting to be taken over, while their clueless owners browse the Internet with a false sense of complacency. Briefly, here’s how it works: Many viruses and worms actually plant an SMTP relay on infected systems. Well, not a real SMTP relay in the truest sense of the word, but something that functions as one. If you want to discover more, turn to the next section, where I describe this in greater detail.
