[LINK] RFC: Spambot Pollution of a User's Mailbox

Roger Clarke Roger.Clarke at xamax.com.au
Sat Sep 8 16:53:40 AEST 2007 

I received valuable responses to my RFI on 23 August, thanks!

I've drafted a few paras. on the question as a small part of expert 
evidence in a criminal matter.

Normally I wouldn't go looking for 'free consultancy' in such 
circumstances.  But this is one little corner of the case (most of 
which is about P2P downloads), and the defendant is unlikely to be 
able to pay me very much.  So this part is very much pro bono;  so 
I'm less embarrassed to put a request in front of the Link Institute.

Basically, does anything in the following smell wrong, or inappropriate?

Note that it's expressed in a manner that is intended/hoped will be 
understandable by a Dictrict Court judge *and* a jury.  And it's 
based (for reasons that are 'good' according to the logic of 
court-cases) on only partial information, and hence the conclusions 
are necessarily hedged.

Thanks in advance for your thoughts!

________________________________________________________________________


A 'bot' (an abbreviation of 'robot') is software that is contrived to 
be inserted into a user's machine without the user's knowledge, and 
which can perform functions for the benefit of some party other than 
the user.  From the viewpoint of that party, the most 'useful' kind 
of bot is one that the party can exercise control over, in particular 
to initiate particular kinds of actions by the user's machine.

A 'spambot' is a particular kind of bot whose purpose is to enable 
the other party to distribute spam, in the sense of unsolicited 
commercial emails.

If a party is successful in infiltrating the software into a number 
of user-machines, the collection of machines is referred to as a 
'botnet'.

The last 5 years has seen an explosion in spambots.  This explosion 
has been stimulated at least in part by the gradual emergence of laws 
in various jurisdictions that criminalise the despatch of spam. 
Spammers have used established techniques (involving 'viruses', 
'worms' and 'trojan horses') to infest very large numbers of 
user-machines with 'spambot' software.  It has been estimated that a 
substantial proportion of user-machines are infested with one or more 
of them.

The function of a spambot comprises the following:
*   it receives from some other location that is controlled by the
     spammer a message that is to be despatched by email, and a set
     of email-addresses;
*   it generates a copy of that message to each of those email-addresses;
*   it sends the messages out, or arranges for them to be sent out,
     through the user's normal send-email channel, i.e. through their
     Internet Service Provider (ISP).

To perform the last step - the actual despatch of the message - there 
are broadly three ways in which a spambot can be programmed, and it 
appears that all of these techniques may be in use:
(1)  include in the software a complete 'sendmail' function;
(2)  assume that a particular and very common software-library (called
      MAPI) is available on the user's machine, and invoke that
      software-library;
(3)  assume that a particular email-package is available on the user's
      machine, and invoke that email-package.  The most numerous
      email-package on user-machines is Microsoft Outlook, which is
      installed on the machine in question, and also uses the MAPI library.

In case (3), a copy of the outgoing spam-message will appear in the 
'Sent' category of the user's email-files.

In case (2), a copy of the outgoing spam-message may appear in the 
'Sent' category of the user's email-files, depending on a number of 
factors.

In my opinion, it is technically feasible that malicious software in 
the form of a spambot could have caused messages to appear in the 
'Sent' category of the user's email-files, even though the user did 
not send them.


-- 
Roger Clarke                  http://www.anu.edu.au/people/Roger.Clarke/

Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in Info Science & Eng  Australian National University
Visiting Professor in the eCommerce Program      University of Hong Kong
Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW

More information about the Link mailing list