SPAM Tactics One of the most commonly used tactics is to specify "<>" as the sender. This tactic is based on a standard feature, present in all mail servers. By specifying the "<>" sender, they trick the server to deliver the message to the user's mailbox, since the "<>" corresponds to the server itself. In this case, if the spammer has forged the message headers to make it look like the message is originating from the server itself (when, in fact, it came from the outside), he may trick the server to deliver the message without filtering it or, if filters are weak, he may bypass them if they do not support a null sender, or are not configured for this scenario.

Another filter bypassing tactic is to forge the sender and specify the same information to the sender header as to the recipient header, to look like the message was sent from the recipient's owner's account to himself.

A filter bypassing tactic is also the forging of the sender header; the latter is replaced with randomly selected names which are part of the recipient's domain. This way, an address book based filter will fail miserably if the sender happens to be in the user's address book or worse, the filter scope is only applied to the recipient's domain (for convenience because of frequent updates to the domain's accounts).

As you have already noticed, the tactic to modify the headers in the scope of confusing filters and people is often used to a point that there aren’t any spammers that do not use them today and, as strange as it may be, many filters are still defeated by this tactic. We will stop here with the examples of this tactic and move to other tactics that are based on different "backdoors" of the mail system.

A dangerous, but fortunately rarely used tactic, is to manipulate a server bounce (NDR) message policy. What this means: many servers are configured to accept any messages they receive and act after the message is received and resources have been wasted. This tactic can be rendered useless if the mail server is configured to do not send bounce messages for local deliveries or if the server checks the recipient for which the message is intended and rejects the message at SMTP level without blindly accepting all messages. This method uses the header forging tactic also as described above to modify the reply-to header which holds the address at which replies to messages are expected, this address may be different than the sender address.

The spammer sends a message with the forged sender and reply-to headers; the message is automatically accepted; after this, the server realizes that the recipient user does not exist and sends a bounce (NDR) message to the reply-to address, in most cases with the original message as an attachment. In this case, the "victim" of the spammer is the recipient address specified in the reply-to header, since the respective address will finally receive the message. This tactic has a higher chance of bypassing message filtering or filtering applications since, in fact, is a legitimate message, but with a negative payload. This tactic is able in many cases to fool even the user receiving the message, since he/she assumes it is an error message generated by their mail server and opens the attached file containing the spammer's message. Besides the usual spam related inconvenience, there other problems since the attacked mail server will consume resources to deliver the bounce messages and will offer the spammer a certain degree of anonymity.

Another used tactic is to craft spam messages to confuse and disturb statistic or keyword filters that use the bayes algorithm. This tactic is used to render bayes filtering mechanisms unusable by corrupting the keyword or corpus database and increase the rate of false positives to a point at which the filter starts considering many legitimate messages as spam or the reverse, spam messages as legitimate and let them pass the filter. The spammer builds a message that has a body composed from a text part harvested from websites, which looks like normal conversation and a part of the intended message. This type of messages are intended for filters that are not kept up to date since bayes filters accuracy increases if they are properly and frequently trained. If a bayes filter is constantly trained and is used to see a certain type of legitimate messages, then it will properly recognize this type of message no matter how well built it is.