Glossary 

Archive

Messages found to match any of the anti-spam rules or content filter policies can be archived. The messages are delivered as usual, but a copy is made and saved in the \archive directory.

False Header

Information appearing in the email header that has been faked by the spammers in an attempt to shield their identity. It is possible for most lines in the header to be false. The Received: line is the most reliable.

Bozo Filter

Client-side content filter. A bozo filter differs from eManager filtering in that the mail is processed by the SMTP server, delivered to the client, and will usually appear briefly in the mail box.

Bulk Mailer

A software program for mailing a single email message to thousands, even millions of people.

Comment :

Often forged. Some servers will try to authenticate the sender or the information appearing in the Received line by performing a reverse DNS lookup. The results of such test are included in the Comments line and can provide a clue as to which lines may be forged.

E-mail VirusWall

Trend Micro's anti-virus solution for mail passing across the Internet gateway. InterScan E-mail VirusWall will check all inbound and/or outbound email messages for viruses.

From :

Email header information describing who the message is from. This is very easily forged.

Global Settings

Unlike the content filter, the spam filter includes several global settings, i.e., configuration options that are applied to all rules. The spam filter's global settings are the From: field that will appear in Notification messages, exact matches, and case sensitive comparisons.

Hijacked Server

An SMTP server used without authorization to relay email messages (often to disguise the sender's identity).

Internet Backbone

One of the core ISPs, for example mci.net, through which all Internet traffic is routed.

IP Address

All computers connected to an IP network (including the Internet) are addressed using a unique 32 bit Internet Protocol address, written in Dotted Quad notation. The numbers are in the range of 0 to 255. The order of significance decreases as you move from left to right; whereas the degree of specificity increases. For example, 123.76.123.10 and 123.76.123.11 would be neighbors. 123.76.123.10 and 123.6.123.11 may be completely unrelated.

ISP

Internet Service Provider, the entry point onto the Internet.

issmtpd Service

The InterScan E-mail VirusWall service. issmtpd (i.e., InterScanSMTPdaemon) must be running for eManager processing to occur. The other InterScan services are isftpd and ishttpd, which appear in Services on the computer(s) hosting the VirusWall(s).

Legislation

Most of the anti-spam bills introduced in Congress and the House of Representatives in the past year seek to require that the sender of UCEs identify themselves, offer a valid reply address, and provide the recipient a means of removing themselves from the sender's list.

One of the primary concerns is that the act of defining and legislating UBE/ UCE will in effect sanction it, in effect leading to an increase in the volume of unwanted email.

Mail Bomb

An email message containing malicious HTML or Java code written to cause an adverse effect when the end-user opens the message or activates the code.

A mail bomb can also describe the intentional flooding of a user's mailbox with thousands of email messages. When a SMTP server is the target of a mail bombing, hundreds of thousands of messages may be involved.

Message-ID :

A unique string created by the mail server at the time the message was created. Although forgeable, doing so is more difficult than, say, forging the From: line.

The first letter of the message ID will match the hour when the message was sent; different mail server programs typically create their own specific string types. For example,

Received: from 2doormail.2door.com. (2doormail.2door.com [123.1.70.11]) by gnetmgt.2door.com (8.8.5/8.8.5) with ESMTP id JAA04007; Wed, 22 Jul 1999 09:25:39 -0400 (EDT)
Message-Id: <199907221321.JAA29175@2doormail.2door.com.>

Some bulk emailers routinely fail when entering a number for the Message-ID: <> and end up leaving the field blank. In a genuine email message, this ID is generated by the SMTP server and appended to the message at the time of delivery.

Quarantine

Content Management can prevent the delivery of email messages that match any anti-spam rule or content filter policy. The messages are saved in the \quarantine directory and can be viewed from the Log file.

Received :

A Received: line is inserted by each mail server that processes the message. Received: lines are counter-chronological and can be read from the bottom up, with the top one being the recipient's own server.

Forged Received: lines may be inserted anywhere below the true originating SMTP server. The spam filter reads only the first "word" that follows the Received: from or Received: by statement. The content filter reads information from anywhere in the header (as well as the message text).

Relay

The use of a third-party SMTP server in the transmission of an email message. Years ago, most system administrators left their SMTP servers open for relays, but abuse and security concerns have forced most to prevent message relaying.

Reply-To :

Email header information describing the email address to where replies should be sent. This field is often blank in the raunchiest of spam, or is forged. For spammers soliciting business, the field may be real and is used to receive mail orders. In this case, the address can be used to create an anti-spam rule.

Return-Path :

The email address for return mail. Same as Reply-To:

Sender :

SMTP server programs are supposed to insert a Sender: line if the user has modified the From: line, but not all do. Some programs insert an X-Sender line.

Signature

A tell-tale sign such as a P.O. Box, telephone number, or other bit of information that is common to all of a spammers' email messages. Such signatures can be used in the content filter to block a variety of spam messages.

Tracert

A Windows-based program for tracing the route taken from the local computer to the remote IP address or domain name entered. Useful for identifying a spammer's Internet service provider.

UBE

Unsolicited Bulk Email (i.e., spam)

UCE

Unsolicited Commercial Email (i.e., spam)

Whack-a-mole Spammers

Whack-mole spammers are so named because of their habit of popping up to deliver a blast of spam, then dropping out of sight for a while only to re-emerge somewhere else with another blast of spam. Whack-a-mole spammers can be difficult to filter. Some whack-a-mole spammers can be filtered because of their tendency to re-use certain telltale strings, or signatures, in all their messages. This might be a phone number, address, company name, tag line, or other unique identifier.

Web Crawler

An automaton that is designed to visit millions of web sites. Web Crawlers are used by search engines to populate their databases, Web Crawlers are also put to use by spammers for the purpose of harvesting any and all email addresses that are included in the web pages.

www.dejanews.com

DejaNews is a free service on the web that serves as the memory of UseNet. It is quite valuable in helping to track down the identity of spammers. Search for "signatures" of the spammer, for example, or find out if anyone else in the Internet community has already done the work you are embarking upon.