- the part of a message that comes after the
headers. Separated from the headers by a blank line.
- Bubblegum proxypot
- the name of a specific program written by me, Alan Curry, the owner of
proxypot.org. It is an example of a proxypot.
- a package that is capable of providing a POSIX-like environment on an
unmentionable operating system. It enables the running of
- Distributed Checksum Clearinghouse. A system that tries to identify bulk
mail, so that people can reject bulk mail from unknown sources.
Bubblegum proxypot can submit messages to a
DCC server, which provides DCC users with more raw information to help them
decide what messages should be rejected.
- the sender and recipient addresses in an SMTP
session. These are separate from the addresses in the
message headers and bodyforged. The envelope
recipient(s) may or may not match the contents of the To: and Cc: headers. In
a normal SMTP server, the envelope recipients are the addresses where the
message will actually be delivered. In a
Bubblegum proxypot mbox
or maildir, the envelope sender is recorded in the
Return-Path header and the envelope recipients are recorded in Delivered-To
headers. They will be above the proxypot
Received header, which distinguishes them from
the spammer's forged headers below it.
- false addresses that are usually placed in the
headers of spam. Sometimes forged addresses are random
garbage followed by a well-known domain name. Other times the forged
addresses are real and belong to the spammer's enemy. Almost everything you
see in the headers of a spam message is forged. The only headers that can be
trusted are the Received headers, and only the
ones that were added after the spammer sent the message. The most
trustworthy Received header is the one closest to the top. See also
- the top part of a message, containing information about the sender of the
message, the recipient(s), the subject, and the method by which it was
transmitted. In a spam message, almost all the headers are
forged. Most mailreaders do not display all the
headers of a message unless specifically told to do so.
- a system designed to appear vulnerable to attack. When an attacker
accesses a honeypot, the honeypot tries to create the illusion that the
attacker is successfully evading detection, while actually he is being
- a mail storage format in which every message is kept in a separate file,
and meta-information flags (like which messages have been seen by the user) is
manipulated by renaming the files, instead of altering the contents. This
format is safer than mbox when multiple programs are
accessing the mail store at the same time, and faster tham mbox when messages
are deleted or flags are changed. Maildir format is supported by many
mailreaders and POP/IMAP servers.
- the traditional mail storage format of UNIX, where an entire mailbox is
in one file, and the messages in the file are separated by "From_" lines
(lines that begin with the word "From" followed by a space). It is inferior
to maildir in several ways, but it has the support of
some old-fashioned UNIX mailreaders, which makes it still occasionally
- to write a message in a way that makes it hard to understand. In
particular, web site links found in spam messages are frequently obfuscated
to prevent spam victims from figuring out where the web
site is located, and complaining to the web site's ISP. Obfuscation is
sometimes done with a legitimate, but unnecessary, message encoding. Other
times it is done by exploiting bugs in commonly used mailreaders - the
spammer doesn't care if the link is technically invalid as long as it works
on the systems used by the people he's targeting.
- open proxy
- a proxy server that offers unrestricted, anonymous
access to anyone and everyone. Usually, in the context of spam, this term
refers to proxies that allow the user to create arbitrary
TCP connections. SOCKS proxies and HTTP proxies with SSL
support meet that requirement. Other types of proxies can be "open" too, but
they are less useful to spammers.
- open proxy honeypot
- See proxypot.
- the programming language used to create
Bubblegum proxypot. To run it you need the
perl interpreter and modules, available from
perl.com. If your operating system comes
from Redmond, you also need cygwin.
- something or someone who does something on behalf of someone else.
Proxies are used on the Internet for several legitimate reasons: some
increase speed of web access by caching web pages, some provide an indirect
method of Internet access for computers that aren't be connected directly,
and some are used to impose restrictions on what Internet resources may be
accessed from a particular location. A good proxy only fulfills requests from
people it can identify, usually those "inside" a specific home or business
network, and keeps track of who did what. The bad proxies are
- a honeypot that disguises itself as an
- Received header
- the header that traces the path from a message
sender to the recipient. When a message is first created, it should have no
Received headers (but sometimes a spammer will forge
some). When the message is injected into SMTP, the first
server adds a Received header to the top. That server passes the message to
another server, which adds another Received header over the first one, and so
on until the recipient's mail server delivers it. The legitimate Received
headers are always above the forged ones.
Bubblegum proxypot adds a Received header
when it delivers messages to an mbox or
maildir. It doesn't look exactly like a normal
Received header because a proxypot is hardly a normal
SMTP server, but servers the same purpose of providing information on the
method and path of transmission of the message.
- an indication of success or failure given by an SMTP
server to a client that is attempting to send a message. Each piece of
envelope information sent by the client is followed
by a response from the server. Imitating these responses accurately without
bothering the real SMTP server is one of the biggest challenges in designing
- a series of actions beginning when a client connects to a server, and
ending with a disconnection. An SMTP session can consist
of a series of transactions and can last a long
time, but a typical spam SMTP session lasts only a few seconds and contains
a single transaction.
- Simple Mail Transport Protocol. Every domain that wants to receive mail
from the Internet must have an SMTP server. Mail senders must connect to the
destination domain's SMTP server to send messages there. An SMTP server
records the IP address of the sender in a
- a worthless message that is repeated often enough and loudly enough to
inhibit normal conversation. This general concept has been applied to many
media, including message boards, chat rooms, and of course e-mail. Spammers
are thieves, stealing space in your mailbox, that you paid for so you could
use it for private discussions, and reselling it without your knowledge or
- equivalent to forge, but more commonly used to
describe the forging of IP addresses, which is generally harder to do than
- Transmission Control Protocol, the protocol underneath
SMTP and many other Internet applications. TCP
provides the mechanism for a client to connect to a server and send an
ordered stream of data. How that data is interpreted depends on the upper
level protocol - TCP only sees a sequence of bytes. The most dangerous type
of open proxy is one that allows clients to make
any TCP connection and send any data it wants.
- in SMTP, a series of commands beginning with MAIL
FROM (which specifies the envelope sender), followed
by RCPT TO (once for each envelope recipient), then
DATA (which introduces the message headers and
body). A single transaction transfers a single message,
which may have multiple recipients.
- spam recipient. If it's in your mailbox without your permission, it's a
theft of a resource that belongs to you. It's not just a minor disagreement,
it's an intrusion, and that's why spam recipients are properly called victims.