Spam – SY0-601 CompTIA Security+ : 1.1

If you have an email address, then you probably know about spam. In this video, you’ll see some examples of spam from my junk mail folder and you’ll learn techniques for identifying and rejecting incoming spam messages.

<< Previous Video: Watering Hole Attacks Next: Influence Campaigns >>

 

 


Most of us are pretty familiar with spam. It seems to clog up our inboxes on our email, but that’s not the only place you might receive an unsolicited message that we would refer to as “spam.” You could be reading online forums, for example, and see unsolicited messages that are posted there as well. If you receive spam over instant messaging or over text messaging, then that is referred to as SPIM, or Spam Over Instant Messaging.

The content within a spam message can take many different forms. Often it is a commercial message where somebody is trying to sell you a product and they’re sending you this unsolicited message as, effectively, an advertisement. You might also receive spam as a non-commercial message. This might be an organization or an individual that’s trying to promote a particular world view. And of course, there is spam that is malicious, that is trying to phish you for information and gather personal information from you by using these spam messages.

Regardless of the content of these spam messages, the problem for the system administrator is many and varied. We have security concerns, obviously, for a lot of this content. There is resource utilization, because all of these messages have to be stored somewhere. And they’re using network bandwidth to be able to send these messages into your users.

You have to store all of this information somewhere. There are costs associated with that. And of course, usually there is a spam management system to try to filter out this information before it arrives in your user’s inbox. And of course, those systems cost money as well.

Let’s look at some spam messages that come directly from my personal spam folder. This first one says “ATM CARD DELIVERY.” It says that there is a fund of $7.5 million that I can receive. And this is a phishing spam, because they’re asking me for my full names, my address, and my telephone number. And I guess they take it from there.

Another spam message in my spam folder is unsolicited advertising from a third-party company that’s trying to sell me a heated vest that ships with the battery included. Well, being in Florida, I don’t have to worry too much about needing a heated vest during the fall and the winter. And this spam-filtered message can stay in my spam folder.

There are many different strategies for blocking spam and preventing it from getting into our mailboxes. One strategy is to have your own spam filter that is either filtering in the cloud or perhaps filtering on site on your own screened subnet. There will be a mail gateway.

Your mail comes in from the internet. It is filtered in that mail gateway. And anything identified as spam can be thrown out before it is transferred into your internal mail server.

The email gateway or spam filter is looking at these messages for particular characteristics. One of these might be an allowed list so that only email from trusted senders is allowed in. This requires quite a bit of maintenance to make sure that your trusted senders list is always up to date, but it would certainly prevent anyone else from sending messages to your users.

The people who are sending the spam message to you don’t always comply with the standards associated with email transfer. So one of the things that your spam filter can do is identify when these messages are not compliant with the RFCs. And they’ll throw out any messages that seem to go outside the scope of the standards.

Another great test is to perform a reverse DNS. You’ll receive a message, perhaps from me, that says, ProfessorMesser.com. Your spam filter will then perform a reverse DNS, look at the IP address associated with ProfessorMesser.com, and make sure that the email they received is one that came from this known IP address. If it came from a different IP address, your spam filter can mark that as something that is suspicious and prevent that from going to your users.

Another technique that frustrates these spam senders is one called tar pitting. They want to be able to send this spam to as many people as possible as quickly as possible. And what tar pitting does is slow down your mail server and make the process of sending and receiving the messages back and forth take an excessive amount of time. The slowing down of the conversation also slows down the spammer’s email server. So they may choose to simply skip over you and go on to another user that doesn’t slow down the conversation.

And lastly, there is recipient filtering. Very often, the spammers will send messages into any particular name they can find, even if that name doesn’t actually exist in your organization. And many organizations will have a catch all where all of those messages are kept.

Another strategy is to, instead of accepting those messages, is to have them automatically reject it. And that way the spammers will not be able to send any messages inbound unless they have a correct email address as the recipient.

There is never any single strategy for stopping spam. You have to use many different techniques and strategies to make sure that you can stop this before it arrives in your users’ inboxes.