the part of a message that comes after the headers. Separated from the headers by a blank line.
Bubblegum proxypot
the name of a specific program written by me, Alan Curry, the owner of It is an example of a proxypot.
a package that is capable of providing a POSIX-like environment on an unmentionable operating system. It enables the running of Bubblegum proxypot.
Distributed Checksum Clearinghouse. A system that tries to identify bulk mail, so that people can reject bulk mail from unknown sources. Bubblegum proxypot can submit messages to a DCC server, which provides DCC users with more raw information to help them decide what messages should be rejected.
the sender and recipient addresses in an SMTP session. These are separate from the addresses in the message headers and bodyforged. The envelope recipient(s) may or may not match the contents of the To: and Cc: headers. In a normal SMTP server, the envelope recipients are the addresses where the message will actually be delivered. In a Bubblegum proxypot mbox or maildir, the envelope sender is recorded in the Return-Path header and the envelope recipients are recorded in Delivered-To headers. They will be above the proxypot Received header, which distinguishes them from the spammer's forged headers below it.
false addresses that are usually placed in the headers of spam. Sometimes forged addresses are random garbage followed by a well-known domain name. Other times the forged addresses are real and belong to the spammer's enemy. Almost everything you see in the headers of a spam message is forged. The only headers that can be trusted are the Received headers, and only the ones that were added after the spammer sent the message. The most trustworthy Received header is the one closest to the top. See also spoof.
the top part of a message, containing information about the sender of the message, the recipient(s), the subject, and the method by which it was transmitted. In a spam message, almost all the headers are forged. Most mailreaders do not display all the headers of a message unless specifically told to do so.
a system designed to appear vulnerable to attack. When an attacker accesses a honeypot, the honeypot tries to create the illusion that the attacker is successfully evading detection, while actually he is being watched.
a mail storage format in which every message is kept in a separate file, and meta-information flags (like which messages have been seen by the user) is manipulated by renaming the files, instead of altering the contents. This format is safer than mbox when multiple programs are accessing the mail store at the same time, and faster tham mbox when messages are deleted or flags are changed. Maildir format is supported by many mailreaders and POP/IMAP servers.
the traditional mail storage format of UNIX, where an entire mailbox is in one file, and the messages in the file are separated by "From_" lines (lines that begin with the word "From" followed by a space). It is inferior to maildir in several ways, but it has the support of some old-fashioned UNIX mailreaders, which makes it still occasionally useful.
to write a message in a way that makes it hard to understand. In particular, web site links found in spam messages are frequently obfuscated to prevent spam victims from figuring out where the web site is located, and complaining to the web site's ISP. Obfuscation is sometimes done with a legitimate, but unnecessary, message encoding. Other times it is done by exploiting bugs in commonly used mailreaders - the spammer doesn't care if the link is technically invalid as long as it works on the systems used by the people he's targeting.
open proxy
a proxy server that offers unrestricted, anonymous access to anyone and everyone. Usually, in the context of spam, this term refers to proxies that allow the user to create arbitrary TCP connections. SOCKS proxies and HTTP proxies with SSL support meet that requirement. Other types of proxies can be "open" too, but they are less useful to spammers.
open proxy honeypot
See proxypot.
the programming language used to create Bubblegum proxypot. To run it you need the perl interpreter and modules, available from If your operating system comes from Redmond, you also need cygwin.
something or someone who does something on behalf of someone else. Proxies are used on the Internet for several legitimate reasons: some increase speed of web access by caching web pages, some provide an indirect method of Internet access for computers that aren't be connected directly, and some are used to impose restrictions on what Internet resources may be accessed from a particular location. A good proxy only fulfills requests from people it can identify, usually those "inside" a specific home or business network, and keeps track of who did what. The bad proxies are open proxies.
a honeypot that disguises itself as an open proxy.
Received header
the header that traces the path from a message sender to the recipient. When a message is first created, it should have no Received headers (but sometimes a spammer will forge some). When the message is injected into SMTP, the first server adds a Received header to the top. That server passes the message to another server, which adds another Received header over the first one, and so on until the recipient's mail server delivers it. The legitimate Received headers are always above the forged ones. Bubblegum proxypot adds a Received header when it delivers messages to an mbox or maildir. It doesn't look exactly like a normal Received header because a proxypot is hardly a normal SMTP server, but servers the same purpose of providing information on the method and path of transmission of the message.
an indication of success or failure given by an SMTP server to a client that is attempting to send a message. Each piece of envelope information sent by the client is followed by a response from the server. Imitating these responses accurately without bothering the real SMTP server is one of the biggest challenges in designing a proxypot.
a series of actions beginning when a client connects to a server, and ending with a disconnection. An SMTP session can consist of a series of transactions and can last a long time, but a typical spam SMTP session lasts only a few seconds and contains a single transaction.
Simple Mail Transport Protocol. Every domain that wants to receive mail from the Internet must have an SMTP server. Mail senders must connect to the destination domain's SMTP server to send messages there. An SMTP server records the IP address of the sender in a Received header.
a worthless message that is repeated often enough and loudly enough to inhibit normal conversation. This general concept has been applied to many media, including message boards, chat rooms, and of course e-mail. Spammers are thieves, stealing space in your mailbox, that you paid for so you could use it for private discussions, and reselling it without your knowledge or consent.
equivalent to forge, but more commonly used to describe the forging of IP addresses, which is generally harder to do than forging headers.
Transmission Control Protocol, the protocol underneath SMTP and many other Internet applications. TCP provides the mechanism for a client to connect to a server and send an ordered stream of data. How that data is interpreted depends on the upper level protocol - TCP only sees a sequence of bytes. The most dangerous type of open proxy is one that allows clients to make any TCP connection and send any data it wants.
in SMTP, a series of commands beginning with MAIL FROM (which specifies the envelope sender), followed by RCPT TO (once for each envelope recipient), then DATA (which introduces the message headers and body). A single transaction transfers a single message, which may have multiple recipients.
spam recipient. If it's in your mailbox without your permission, it's a theft of a resource that belongs to you. It's not just a minor disagreement, it's an intrusion, and that's why spam recipients are properly called victims.