|
| |
THE ANTI-SPAM COOKBOOK
September 15, 2002
By Ron Anderson
Just about everyone but native Hawaiians and direct marketers hate spam.
Hawaiians consider Spam--the canned luncheon meat--a staple in cooking, having
developed a number of amazing recipes using it as the main ingredient
. Marketers love the electronic form of spam because blitzing millions of
recipients with an electronic promotion is much cheaper than sending an envelope
or postcard to just a few thousand potential customers. Getting hundreds of spam
messages a week is bad enough, but getting hundreds of spam messages intended
for a different audience just adds insult to injury.
And the problem (the electronic one, at least) is only getting worse.
Consumers will be inundated with 206 billion junk e-mailings in 2006, double the
number received this year, research firm Jupiter estimates. Spam comprises
nearly one in three corporate messages exchanged this year, with that number
expected to climb to 39 percent by 2006, The Radicati Group estimates.
Medium-size companies routinely get 20,000 spam messages per day, according to
the Meta Group.
Glossary
• Spam Trap: This term has
several meanings. One, a spam trap is an address that is incapable of
requesting information or subscribing to lists, so if e-mail is sent to it,
the originator is sending unsolicited mail. A second definition is those
sneaky options that are preselected by default and give spammers permission to
bombard you. Advise users to check online forms carefully (see
http://www.lecb.ncifcrf).
During a recent 24-hour
period, one of Network Computing's small (20 user) mail servers blocked 2,478
messages from known spammers, stopped 61 messages via a spam trap and permitted
about 1,000 spam messages to be delivered. That's 177 pieces of spam addressed
to each user on this server in a single 24-hour period. Do the math--that's a
staggering 64,605 spam messages per year per user. Admittedly, our e-mail
addresses are plastered prominently all over the Web, so we're easier targets
than most, but based on our experience we don't think the analysts' predictions
are off by much. And the saddest part of that story is the 1,000 junk messages
that got through despite the costs we've incurred and the protective measures
we've implemented in our fight against spam.
So what's a harried e-mail administrator to do? Unfortunately, right now
there is no perfect answer. Blacklists are reactive, and filtering tools aren't
smart enough to block every message that is spam and pass every message that
isn't. What you can do now is combine the available spam-fighting tools to help
stem the tide.
Ingredient 1: A Soup'on of Secrecy
Some advise you to never give your e-mail address to anyone, or at the very
least, to obscure it when using it in electronically visible places, such as the
Web or Usenet newsgroups. Others use public e-mail addresses, usually from a
free mail service, when conducting business on the Internet or posting to
newsgroups, reserving their main addresses for business and personal use. But
these strategies are imperfect: It takes just one slipup--once the address is
had, it is had.
From an administration standpoint, your first line of defense should be to
implement system-wide rules that block known spam. We started getting a number
of junk messages that had a particular string in the "From" header. We blocked
these by creating a simple server-based rule that rejected mail with that
particular header. Problem solved, and it took only a minute or so, at least for
that single sender. And therein lies the problem--the target is always moving,
and this solution is designed to hit a stationary mark. Many servers let you
create your own blacklists of offending IP addresses. This is the same concept,
a quick and dirty method for blocking spam but one that doesn't scale well and,
again, is reactive rather than proactive.
If you have sophisticated users, they may be able to create rules on a per-
user basis, either at the server, if your mail server permits user rules, or
locally, using the rules capabilities of their own mail clients. For example,
some users on our mail server move all messages originating from free mail
servers, such as yahoo.com and hotmail.com, into folders separate from their
inboxes so they can deal with them when they have time. Some even go so far as
to delete these e-mails automatically because nearly all of them are spam. We
don't advocate this method without consulting your users, many of whom will have
a legitimate need to get e-mail from free-service users.
Ingredient 2: The Blacklist Du Jour
Spam blacklists, also known as block lists, offer a valuable automated tool
as your second line of defense. A blacklist lets your mail server query, via
DNS, a list of known spammers maintained by a variety of organizations, such as
MAPS RBL (Mail Abuse Prevention System Realtime Blacklist; mail-abuse.org),
SpamCop (spamcop.net) or Spamhaus (spam haus.org). If your server's blacklist
DNS query returns a hit, meaning that the sending server has a DNS record on the
blacklister's DNS zone, the system that is sending mail is a known spammer.
Blacklists are created and maintained in a variety of ways, from sending
"robots" out to look for open relays then listing them when they're found, to
creating the lists dynamically based on day-to-day, minute-by-minute analysis of
user reports. SpamCop uses the latter method, along with a scoring system that
factors in the percent of spam sent from a system versus legitimate e-mail, the
freshness of the report, and whether the report is for mail sent to a spam trap
(SpamCop gives these reports double weight). SpamCop removes a blacklist entry
if it has fewer than three reports against it and no report is newer than six
hours.
|
By the Numbers
$77.50: Amount California
small-claims court awarded Ellen Spertus when she sued Kozmo.com for
sending spam after she opted out
$4.26: Amount Spertus collected
$27.50: Amount
she spent in legal fees
483,000: Hits on Google for "stop spam"
16,500: Square footage of
official Austin, Minn., Spam museum
|
When mail arrives from a server that is on a blacklist, you have some
handling options. For instance, the incoming message can be refused, or it can
be rerouted away from the user. Also, most mail servers optionally will send a
message back to the original sender, assuming his or her return-to address
hasn't been forged, stating that the mail server has been blacklisted and your
organization won't accept his or her mail.
Of course, as you can see from "A Day in the Life of an E-Mail Administrator"
(page 63), a return message about blacklisting often causes confusion, but we
feel this step is necessary so that senders understand their mail isn't getting
through to your users and can open a dialog with you to see what can be done.
Consider the wording of your return message carefully to avoid any unnecessary
confusion.
Blacklists, when used in the right combination, are a great defense
mechanism. We use MAPS, SpamCop and Spamhaus, and that combination is about
right for our users--we don't get many complaints from legitimate mail senders,
and we're able to block thousands of spam messages a day. Some lists are
stricter than others, increasing the risk of blocking legitimate mail, and some
don't do enough to block spam. Your mileage will vary depending on your users'
needs; it's a good idea to research prospective blacklists to find where they
are on the spectrum.
Because these lists are maintained by their creators, administrative overhead
is low. Each list does require a DNS lookup per list per message (we do three
DNS queries per message plus a reverse DNS lookup to make sure the server is
really who it says it is) so there is some expense on the server side in terms
of CPU cycles and on the network to perform the lookups.
|
|
|
And Now for Something Completely Different
Another type of DNS lookup service, currently in beta tests by IronPort
Systems, makes use of a whitelist. A whitelist identifies servers that can
always deliver mail to your users.
IronPort's Bonded
Sender Program is a good example of a third-party-managed whitelist.
Let's suppose for a minute that you're a business, say AT&T Broadband,
and you want to send messages to your users periodically, for example, about
rate increases. If your outbound mail server's IP address is on your inbound
mail server's whitelist, there's no problem. But what if you don't have a
whitelist and don't subscribe to IronPort's Bonded Sender Program and your
filter software decides that all the rate increase notices are spam and
drops your 64,000 pieces of mail into the bit bucket? Then you're
embarrassed--and
that's exactly what happened to AT&T Broadband in May.
IronPort's idea is that large e-mailers with legitimate business needs
can post a bond, the size of which is determined by the amount of mail being
sent. ISPs and corporations that subscribe to IronPort's whitelist allow all
mail that has been bonded through to their users. Spam complaints about
those messages generate fines that are paid from the bond. The more
complaints, the more money comes out of the bond piggy bank. Where do the
fines go? According to IronPort, they are donated to nonprofit antispam
organizations.
|
FYI
On Jan. 2 a state
appeals court upheld a 1998 California law that requires e-mail
advertisers to identify their messages as such and to provide ways for
consumers to remove themselves from the advertisers' e-mail address
lists or face a $1,000 fine (see
"State Cour of Appel upholds Bowen's Anti-Spam Law")
|
Ingredient 3: Varietal Filters
Besides you and your users hitting the delete key hundreds of times
daily, your last line of defense is filtering software. We break this
category down into three distinct groups: client-based filtering,
server-based filtering and outsourced filtering.
The client-side products generally plug in to your e-mail client, usually
Lotus Notes or Microsoft Outlook or Outlook Express, or connect directly to
your MAPI or POP3 mailbox. These products are based on an updatable list of
client-side rules that filter based on sender, subject or an analysis of
content. Two packages in this category that we looked at while preparing
this article were
McAfee.com's SpamKiller, which works with any MAPI or POP3 account, and
Sunbelt Software's
aptly named iHateSpam, which works with Outlook in MAPI, IMAP or POP3
mode or Outlook Express in POP3 or IMAP mode. These packages run $20 to $30
and don't consume any server resources. Additionally, each user can
customize the product to his or her heart's content. The downside is that
your mail server still has to process and deliver each piece of spam, your
users' ability to roam from one computer to another is severely limited if
they want their spam processed, and you've now distributed your support
issues to each user's computer.
During our use of both of these products, we found that some legitimate
mail was moved to the spam folder while some spam slipped through the
cracks. The result of this less-than-perfect accuracy was that we ended up
examining each message anyway, which somewhat defeated the purpose of the
product. The benefit was the timing--because the messages suspected to be
spam were moved to a separate folder, we could examine them during work
lulls or in the evening, giving us more time to deal with legitimate mail
during the day. In addition, these products "learn," so their performance
improves over time.
Server-based filtering products run the gamut from commercial software,
such as Brightmail's
AntiSpam, Vircom's VOP
modusMail and
SurfControl's E-mail Filter for SMTP/Exchange, to the freely available,
PERL-script-based
SpamAssassin, to outsourced solutions such as Postini's Active EMS.
These products are more sophisticated versions of their client-based
brethren, operating on e-mail as it enters the server rather than after it
is delivered. If you implement a server-based product, your users are freed
from the responsibility of managing their own antispam measures, and support
issues are centralized.
Before you start with one of these products, make sure you can tailor its
spam-filtering activities for various user groups. Your sales folks may want
to receive all their mail unfiltered--the cost of their missing an important
message due to a false positive can be high--while your engineers may want
to filter 110 percent of their mail. In addition, these products require the
most CPU cycles of any of the antispam measures we've discussed because they
examine each and every message--including headers, contents and
attachments--before they pass them on or reject them.
Which brings us back to our original point: If a relatively inexpensive
DNS lookup can reject a majority of your inbound spam before the workhorse,
server-based filter products start eating your CPU cycles, your entire
e-mail infrastructure will benefit from greater scalability. And considering
that spam is projected to increase at a rate of 100 percent per year for the
foreseeable future, scalability is a critical concern. |
|
Executive
Summary
|
|
Our NWC editors list was recently forwarded a reader query: "What I want
to know is where to report spam when it hits ... particularly porn. I've
been getting bombarded with unwanted e-mail with horrid content. The senders
use a random number in their e-mail address, so I can't block the addresses
they use. How do you deal with something like this?"
A number of our editors weighed in. Some responses aren't fit to print in
a family publication. Others recommended
SpamCop.net, asking his
ISP for help, SpamCon
and the FBI. But the overriding message was: We feel your pain.
Network Computing has pretty good success in blocking spam. We advocate a
three-pronged approach: Rules, blacklists and filtering software. Still,
about 50 junk messages per user per day slip through the cracks. And given
the truly frightening spam proliferation estimates that we're getting from
analysts, the battle is far from over.
You might say, if you can't beat them, sue them. Some states are making
it easier to do just that by passing laws regulating mass e-mailing. But
spammers are slimy, slippery types, and they're fighting against
legislation. What can you do? Encourage the passage of laws regulating mass
junk e-mailings (see "The Law
of the Spam,", for a list of proposed legislation) and follow our recipe
for stamping out spam.
|
|
The Law of
the Spam
|
|
Nobody likes a spammer. Enterprises hate them because of the hit on their
mail servers. Parents hate them because they don't want their kids getting
ads for Viagra and live co-ed Web-cams. So it stands to reason that spam is
a natural target for politicians.
Indeed, 25
states have passed legislation governing spam. But how sharp are the
teeth in these laws, can you use them to reduce the amount of junk e-mail
you receive, and where are the feds?
The short answers are: Not very, not yet and out to lunch.
Many states don't prohibit spam outright; instead they take aim at false
and deceptive marketing practices. But fraudulent spammers make up only a
fraction of the whole. And where states regulate spam directly--California,
Delaware, Minnesota--jurisdiction and enforcement are problematic. Spam
extends beyond states into the national and international arenas. Most state
laws affect spammers that "reasonably know" that the intended recipient is a
resident of the state. If you get past this stumbling block, the next step
is bringing the spammer to justice. For every one you go after, there are 10
in the bush. Thus, enforcement becomes the exception, not the rule--so much
for teeth. But at least the states are on the playing field. The feds are
still in the dugout.
The S Files
The most promising federal legislation sharpens the ability of the
Federal Trade Commission to go after fraudulent e-mail. H.R. 718, introduced
Feb. 14, 2001, was moved out of the Committee on Energy and Commerce (Report
107-41;) and placed on the House of Representatives' calendar for
consideration and debate. Among other things, H.R. 718 amends the federal
criminal code to provide penalties for intentionally transmitting 10 or more
unsolicited commercial e-mails with the knowledge that the messages contain
false or misleading information on the identity of the sender. It also
provides ISPs a course of action for damages against persons in violation of
the proposed act and directs the attorney general to order spammers to stop
sending e-mail containing sexually oriented advertisement and to delete the
names and e-mail addresses of the parties who received such advertisements.
We're sure Attorney General John Ashcroft will go at this with a
vengeance, but H.R. 718 falls sadly short of the mark that the European
Parliament hit when it issued a Directive to member states prohibiting
unsolicited commercial e-mail and the use of cookies without the explicit
permission of the recipient. In effect, the EU has put in force an "opt-in"
system for e-mail as well as facsimiles and automated calling systems. The
opt-in requires marketers to get permission from recipients before they send
unsolicited commercial advertisements. Note that EU Directives bind member
states to end results. The means to those ends are left to individual
members.
To match the EU's Directive, Congress should amend the Telephone Consumer
Protection Act (P.L. 103-243) to include an opt-in system for spam. The act
recognizes that unsolicited telemarketing campaigns and commercial
facsimiles are costly nuisances to consumers and invasions of privacy. It
prohibits automated telemarketing calls and bans unsolicited commercial
facsimiles. Extending the act to prohibit spam unless the recipient opted in
would acknowledge that spam costs recipients money too--for the storage of
unsolicited commercial advertisements and the time lost in accessing,
reviewing and discarding it.
Congress' failure to act continues to make the Internet an unfettered
medium for businesses to advertise, short of fraud. Until the feds enter the
game for real, spammers will continue to flood our inboxes with ways to lose
weight, increase sexual prowess and reduce our mortgages, held in check only
by a patchwork quilt of state laws and filtering technology. Given that
reality, we can only hope that filtering technology improves.
What Does This Mean to You?
As an IT professional you need to make your voice heard. Contact your
lawmakers and tell them you support these bills. Go to
Congress.org and
Senate.gov for contact information. You can even go all the way to the
top: E-mail George Bush at
president@whitehouse.org. You can track bills by number at
thomas.loc.gov/.
--Sean Doherty, sdoherty@nwc.com
|
|
A Day In
the Life of an E-mail Administrator
|
|
What follows is an actual e-mail exchange. Only the names were changed to
protect the innocent:
-----Original Message-----
From: Innocent e-mail user
Subject: Why was my e-mail blocked!
Dear Blacklist-admin:
I am a public relations professional who recently sent a single press
release to one of your users from my Bell Atlantic (Verizon) mail account
and received the following mail rejection message:
Recipient: <myuser@myserver.com>
Reason: The mail server you are SENDING FROM is listed on an international
blacklist. Your message was rejected. Send your questions to
blacklist-admin@myserver.com.
I fail to understand how my mail server (Verizon) is on an international
blacklist. I am not a spammer. Please advise how I am supposed to
communicate with MyUser in the future.
Sincerely, Innocent e-mail user
----- Original Message -----
From: blacklist-admin@myserver.com
Subject: RE: Why was my e-mail blocked!
Innocent e-mail user,
I'll look into it. Can you tell me what day and what time you sent the
message to MyUser? Blacklist-admin
-----Original Message-----
From: Innocent e-mail user
Subject: Re: Why was my e-mail blocked!
Hi Blacklist-admin,
Thanks for your response. I sent the e-mail to her about 4:30 on Friday
afternoon. Hope this helps. Innocent e-mail user
----- Original Message -----
From: Blacklist-admin
Subject: RE: Why was my e-mail blocked!
Innocent e-mail user,
One of the "real-time blacklist" services I use to help control the amount
of spam my users receive does list the server from which you sent your mail
(out003pub.
verizon.net, 206.46.170.103) as a known source of SPAM. You can see the spam
report for your server at: http://spam cop.net/w3m?action=checkblock&ip=206.46.170.103
Note that SpamCop is a dynamic service. Today, out003pub is not listed. It
was listed from July 11 to this morning because of the amount of spam that
was reported coming from that server during that time. Based on its history,
it will no doubt be listed again soon.
Also, an article from last August in CNET.com shows that Verizon's servers
have a long history of serving as open relays for spam: news.com.com/2010-
1080281540.html?legacy=cnet
I checked this same issue last night and a year later, out003pub.verizon.net
is still an open relay. This means that anyone can use these servers to send
spam--that's why traffic from verizon.net is blocked by many spam
blacklists, including the ones we use.
Thanks, Blacklist-admin
-----Original Message-----
From: Innocent e-mail user
Subject: Re: Why was my e-mail blocked!
Hi Blacklist-admin,
Thanks for the explanation. I understand now how it is determined who gets
blocked. Unfortunately, it appears that these spam-filtering programs
eliminate anyone who uses a given service provider's systems. I'm sure
millions of people use Verizon. What you are saying is that my e-mails will
be filtered out by the spam program you use because spammers also use
Verizon. Seems rather archaic, inefficient and unfair to me. I've heard of
other programs that filter out mail based on other criteria. The danger in
using your program is that legitimate mail that your editors want to receive
will be rejected out of hand.
Innocent e-mail user
-----End of messages-----
Sadly, Innocent e-mail user is right: The system is archaic,
inefficient and unfair. But our users love the fact that the amount of spam
they receive is reduced significantly. That's the bottom line.
|
|
US
