Labs: Don't Get Spammed

Welcome Guest. | Log In| Register | Membership Benefits

August 18, 1997

Don't Get Spammed
Tired of unwanted E-mail clogging your in-box? New defense op tions can help you stay in control of your E-mail system.
By James E. Gaskin
our beeper starts vibrating, dancing across your nightstand, forcing you awake. It's 6:32 on a Saturday morning, and the number connects you to the president of your company. "I just received three more E-mail messages offering sex, dog breeding, and financial freedom," the president screams into your ear. "Make it stop!" l Early Monday morning, the president's spam problems are forgotten because your problems suddenly escalate. Your E-mail server is choked with angry messages. Just as you figure out that someone put your return address on 50,000 spam E-mail messages, the E-mail server crashes. l Over a single weekend, your system got spammed and was used as a relay station for more spam. As a result, you lost you r E-mail server in a firestorm of protests, condemnation, and bounced messages. Your company is nothing better than a spam monger in the eyes of thousands of potential customers. All you really did, of course, was be a bit too trusting and lax in your security measures. l Reaction to spam ranges from slight annoyance at hitting the delete key a few extra times to a screaming rage whenever an unknown message hits the in-box. Recent Internet users never saw the Net sans advertising and aren't bothered by a few extra messages, but old-timers often regard spam as evil incarnate. l No company is immune. My friend Leslie, who works for a major telecommunications company that provides Internet backbone services, got spammed during my research for this article. "We have a policy on spam," Leslie said, "but the spammers don't read it."
UCE, or unsolicited commercial E-mail, is the latest euphemism for spam-and it defines spam well. Spam is unsolicited, it is often blatantly commercial (usually near-fraudulent), an d it comes via E-mail. Its electronic nature is all that separates it from direct mail and telemarketing.
If spam were more like junk mail, few people would object to it. Post office regulations are clear: The sender pays. Spam, unfortunately, gets a free ride from the Internet. It may even cost the recipient to download. Would you accept junk mail that came postage due? You do with every spam message.
Forgery And Theft
Spammers' tactics have degenerated into deceit, fraud, forged return addresses, theft of service, and threats of violence. Companies have lost control of their E-mail systems, and individuals have been bombed away from E-mail accounts because of spam and their reactions to it.
Do you laugh when you see a line such as "hit reply and type remove" in spam? So do I. Spammers won't delete you from their list, because now they know the address is live and current. If you do reply, it will often be returned not to the originator, but to some poor company whose E-mail server w as "bounced"-or the return address is an outright forgery.
Listing an inaccurate return address saves the spammer personal time and aggravation, although auto-delete routines usually handle messages that find their way back. Often, names of reputable companies are listed in the From field.
Netscape Communications, for example, has been the target of both incorrect From addresses and attempts to use Netscape's corporate mail servers to relay spam, says Albert Gouyet, group product manager for messaging servers at Netscape, in Mountain View, Calif.
Here is where spammers go over the line and into illegal territory. Security holes in the sendmail Internet mail program have been exploited for years, but all E-mail systems have their weak links. MTAs (Mail Transfer Agents) have to be open by definition, because there are 25 million to 40 million people on the Internet who may send you mail. Unfortunately, all of them can also send spam.
Netscape now has anti-relaying features in its Messaging serve r for just these reasons. Messages with suspicious return addresses, or ones that attempt to send multiple E-mail copies, are dumped automatically.
If your SMTP (Simple Mail Transfer Protocol) software is used for a spam relay site, reaction from angry recipients will be swift and voluminous. Even if your server isn't attacked but your name is used, the result can often be the same, leaving you to deal with the disastrous results.
Defense Options
The spam problem is too large for any single answer-unless you can live with a system that accepts E-mail from known addresses only. The first step is to block E-mail from known bad addresses. That's the approach used by Randy Cassingham, author of This Is True, a syndicated newspaper column and E-mail list (www.thisistrue.com) of more than 150,000 addresses.
"I do business on the Internet, and can't afford the possibility of losing important business mail," he says. "I do, however, block certain spammer domains, since I'm not interested in th eir E-mail no matter who the claimed `user' is." Cassingham has spent considerable time and money boosting his mailing list privacy and security.
Tables of blocked addresses, usually called killfiles, are an easy and inexpensive way of dealing with spam. As spammers move to other addresses, of course, you must keep adding to the killfile. Blocks can be set at the firewall based on the Internet Protocol addresses, at the SMTP server, and in most E-mail client applications.
Authentication is the next step up the ladder. Each incoming E-mail message can be verified by checking the authenticity of the supposed sender. Microsoft's Exchange Server plans to incorporate this feature before the start of next year. But this approach takes time, delays message processing, and can't filter out E-mail bounced off legitimate sites or those with forged return addresses.
FireWall-1 from Check Point Software Technologies Ltd. in Redwood Shores, Calif., takes this authentication one step further. If demanded, each incoming message can be held at the proxy connection on the firewall until the sender replies to a query. Spammers often fail this test, so the packets are deleted before passing through the firewall and reaching the E-mail server.
Future Relief
Content filtering may be the ultimate weapon against the minions of spam. It works much the same way virus signature scanning tracks mutant code. A table of typical spam words and phrases, such as MAKE MONEY FAST!!!, or just three exclamation points in a row, serves as a filter for each incoming message. If any of the listed entries match, the E-mail is either deleted or transferred to a special account for review.
FireWall-1 utilizes "stateful inspection" for control over SMTP transactions. All incoming E-mail packets can be checked for virus signatures. FireWall-1 can look at any data within the packet stream, including message content.
Outgoing security measures can be implemented as well, including hiding the specific user's From address b ehind a generic company address and keeping other internal corporate details out of the E-mail message header.
Possibly the most comprehensive content-filtering options come from the MIMEsweeper line of products from Integralis Inc. in Kirkland, Wash. The MIMEsweeper filters, called Content Security Elements (CSEs), include options for incoming and outgoing E-mail, as well as Web browsing. A subset of its CSE is Lexical Analysis, the technology of reading and rating the content of messages. Using a graded scale, words and phrases such as "bargain," "once in a lifetime," "sex," and "make money" could all be assigned a value. If the total goes too high, the probability of the message being spam is almost absolute.
Sounds like a perfect application for all those software "agents" promised over the years, doesn't it? As more software catches up to the features of products such as FireWall-1 and MIMEsweeper, we'll all be able to defend ourselves a bit better.
Self-Defense
Many spam opponent s think we shouldn't have to defend ourselves at all, and that the burden should be shifted to the spammers. After all, direct mail has to be paid for, but spam is essentially free to the senders. More money is spent retrieving spam than sending it, once you add in the costs of phone connections, packet charges, or system time to handle the useless messages.
One option proposed by many ISPs is tagging spam. Each message must have an agreed-upon tag in the body and header, allowing SMTP servers to sort incoming E-mail according to the tag.
This is a wonderful idea, but spammers are in no hurry to make it easier to avoid their messages. Until laws are changed to force some level of spam compliance, authentication will be limited to verifying legitimate message sources.
The IETF (Internet Engineering Task Force) has several working groups active in the area of ESMTP (Extended Simple Mail Transfer Protocol) and SASL (Simple Authentication Security Layer). Voluntary message tags fall under the area of ESMTP, but SASL addresses non-tagged messages.
Defined in IMAP (Internet Mail Access Protocol), SASL defines an authentication method for use between servers. There is an IETF group working on the details now, but the value of SASL is in establishing trusted external E-mail servers. SASL, as proposed today, uses clear text passwords but concerns only communications between two E-mail servers, rather than the contents of any subsequent exchange.
Stringent Policies
ISPs can do more to control their clients, too. Almost every ISP lists spamming as an offense justifying immediate account termination-but empty words don't stop spam. The Spam Boycott home page ( spam.abuse.net ) lists 70 ISPs on its "Responsible Sites" page.
Most listings for the ISPs include a link back to the Acceptable Use Policy of the organization, so you can read the actual words used to warn potential spammers. Many listings give the reason why the site was placed on the list, such as blocking spam, canceling spam accounts on the same day spam is sent, and making attempts to charge spammers damages for using their communications systems.
Many groups despair of stopping spam without legal restrictions. Legal disputes are making headlines, and Cyber Promotions, the self-labeled "King of Spam" and an expert in Internet "marketing" is often suing providers or being sued for spam-related activities. The Voters Telecommunications Watch ( www.vtw.org ) tracks many of the cases filed so far, and announces new control attempts, such as Sen. Robert Torricelli's (D-N.J.) bill, S.875-The Electronic Mailbox Protection Act of 1997.
The proposed bill takes care to protect consumers and ISPs at the expense of spammers. It attacks software for automatic E-mail address gathering; hit-and-run accounts that are used to send spam once and are then closed, leaving the ISP to deal with outraged recipients; and the placing of false return addresses.
Proposed punish ments include a $5,000 civil penalty for each violation. The bill would also empower recipients or ISPs to sue for damages from $500 to $5,000. Class action suits from spam victims are encouraged.
Of course, specific legal restrictions will cripple the favorite technique of some spam opponents: attacking the spammer and its ISP. USA Today reported in early July that the CEO of one Detroit ISP received daily death threats and moved out of his house after anti-spam activists published his address and phone number.
Every anti-spam group counsels members not to mail-bomb spammers, especially since so many are adept at bouncing mail through other mail servers or forging return addresses. Anti-spam commandos may find themselves caught in the legal traps they helped design for spammers. Laws aimed at hacker activity, such as criminal trespass and denial-of-service attacks, apply to everyone.
Legal Opposition
CAUCE (Coalition Against Unsolicited Commercial E-mail) dislikes the Torricelli bill because it was drafted with the help of the Direct Marketing Association and others in the mass advertising business. They fear these organizations will leave the door open for spam in the future, and that the bill doesn't address shifting the cost of spam from the recipients to the senders.
CAUCE supports the Smith Bill amendment to the existing "anti-junk fax" law (47 USC 227) because 47 USC 227 has passed court tests and applies to similar problems of advertisers forcing the recipients to bear the costs of the advertisement. At least junk faxers have to make a phone call for every fax delivery. Spammers need send only one message to commandeer the resources of thousands of people.
The amendment sections are highlighted at the CAUCE Web site ( www.cauce.org ), and the additions include paragraphs condemning the use of "any telephone facsimile machine, computer, or other device to send an unsolicited advertisement to a telephone facsimile machine or E-mail delivery ad dress."
Proposed penalties give consumers a "private right of action" against spammers, allowing them to sue for $500 for each unsolicited message they receive. Damages are tripled if the court believes the spammer "willfully" or "knowingly" violated the law, bringing the cost of spam to $1,500 per message. The law also makes it illegal to send messages without the name and electronic address of the real sender.
Enforcement remains a problem, of course. Though bills such as these will discourage many spammers, certain groups will never quit as long as there is money to be made. Even though the cost of spamming is minimal, zero results make any cost too high a price to pay. No spam sales will slowly result in no spam.
Spam is a highly emotional issue to many people. Internet bandwidth used to be a prime argument against spam, but that no longer holds water. Streaming audio and video, dancing Java applets, and screen-saver push technologies require a thousand times more bandwidth than an E-mail mess age.
Open and accessible information databases have their advantages. The technology that gets your new car loan approved in 30 minutes rather than three days makes it easier to be a spam target. Publishing your phone number makes you a target of telemarketers.
Yet telemarketers bear the cost of their advertising, and you have easy ways to avoid them, with Caller ID and your answering machine. Laws limit times for calling and provide certain post-sales remedies to reduce fraud. Similar laws could be applied to spam, if most spammers weren't so elusive.
It's against the law to put someone else's return address on your snail mail, or to break in and use another company's postage meter. Maybe all we need do to stop spam is follow the same guidelines for E-mail, and punish spammers for fraud and stolen resources rather than for their spam.
James E. Gaskin is a Dallas-area consultant and author covering technical issues about NetWare and the Internet. Reach him at james@gaskin.com .
See table " Anti-Spam Resources On The Web "
See table " Spam-Blocking Mail Clients "
See table " Spam-Blocking Mail Servers "
See table " Spam-Blocking Firewalls "

Back to Labs
Send Us Your Feedback
Top of the Page