MINDPRIDE Computer Services

Home | About Us | Our Services | Contact Information | Tutorials, Articles & Dictionaries | Site Map



About Us



Virus Alerts




Refer A Friend

Site Map



Privacy Policy






  September 15, 2002
  By Ron Anderson

Just about everyone but native Hawaiians and direct marketers hate spam. Hawaiians consider Spam--the canned luncheon meat--a staple in cooking, having developed a number of amazing recipes using it as the main ingredient . Marketers love the electronic form of spam because blitzing millions of recipients with an electronic promotion is much cheaper than sending an envelope or postcard to just a few thousand potential customers. Getting hundreds of spam messages a week is bad enough, but getting hundreds of spam messages intended for a different audience just adds insult to injury.

And the problem (the electronic one, at least) is only getting worse. Consumers will be inundated with 206 billion junk e-mailings in 2006, double the number received this year, research firm Jupiter estimates. Spam comprises nearly one in three corporate messages exchanged this year, with that number expected to climb to 39 percent by 2006, The Radicati Group estimates. Medium-size companies routinely get 20,000 spam messages per day, according to the Meta Group.

Spam Trap: This term has several meanings. One, a spam trap is an address that is incapable of requesting information or subscribing to lists, so if e-mail is sent to it, the originator is sending unsolicited mail. A second definition is those sneaky options that are preselected by default and give spammers permission to bombard you. Advise users to check online forms carefully (see http://www.lecb.ncifcrf).


During a recent 24-hour period, one of Network Computing's small (20 user) mail servers blocked 2,478 messages from known spammers, stopped 61 messages via a spam trap and permitted about 1,000 spam messages to be delivered. That's 177 pieces of spam addressed to each user on this server in a single 24-hour period. Do the math--that's a staggering 64,605 spam messages per year per user. Admittedly, our e-mail addresses are plastered prominently all over the Web, so we're easier targets than most, but based on our experience we don't think the analysts' predictions are off by much. And the saddest part of that story is the 1,000 junk messages that got through despite the costs we've incurred and the protective measures we've implemented in our fight against spam.


So what's a harried e-mail administrator to do? Unfortunately, right now there is no perfect answer. Blacklists are reactive, and filtering tools aren't smart enough to block every message that is spam and pass every message that isn't. What you can do now is combine the available spam-fighting tools to help stem the tide.

Ingredient 1: A Soup'on of Secrecy

Some advise you to never give your e-mail address to anyone, or at the very least, to obscure it when using it in electronically visible places, such as the Web or Usenet newsgroups. Others use public e-mail addresses, usually from a free mail service, when conducting business on the Internet or posting to newsgroups, reserving their main addresses for business and personal use. But these strategies are imperfect: It takes just one slipup--once the address is had, it is had.

From an administration standpoint, your first line of defense should be to implement system-wide rules that block known spam. We started getting a number of junk messages that had a particular string in the "From" header. We blocked these by creating a simple server-based rule that rejected mail with that particular header. Problem solved, and it took only a minute or so, at least for that single sender. And therein lies the problem--the target is always moving, and this solution is designed to hit a stationary mark. Many servers let you create your own blacklists of offending IP addresses. This is the same concept, a quick and dirty method for blocking spam but one that doesn't scale well and, again, is reactive rather than proactive.

If you have sophisticated users, they may be able to create rules on a per- user basis, either at the server, if your mail server permits user rules, or locally, using the rules capabilities of their own mail clients. For example, some users on our mail server move all messages originating from free mail servers, such as yahoo.com and hotmail.com, into folders separate from their inboxes so they can deal with them when they have time. Some even go so far as to delete these e-mails automatically because nearly all of them are spam. We don't advocate this method without consulting your users, many of whom will have a legitimate need to get e-mail from free-service users.

Ingredient 2: The Blacklist Du Jour

Spam blacklists, also known as block lists, offer a valuable automated tool as your second line of defense. A blacklist lets your mail server query, via DNS, a list of known spammers maintained by a variety of organizations, such as MAPS RBL (Mail Abuse Prevention System Realtime Blacklist; mail-abuse.org), SpamCop (spamcop.net) or Spamhaus (spam haus.org). If your server's blacklist DNS query returns a hit, meaning that the sending server has a DNS record on the blacklister's DNS zone, the system that is sending mail is a known spammer.

Blacklists are created and maintained in a variety of ways, from sending "robots" out to look for open relays then listing them when they're found, to creating the lists dynamically based on day-to-day, minute-by-minute analysis of user reports. SpamCop uses the latter method, along with a scoring system that factors in the percent of spam sent from a system versus legitimate e-mail, the freshness of the report, and whether the report is for mail sent to a spam trap (SpamCop gives these reports double weight). SpamCop removes a blacklist entry if it has fewer than three reports against it and no report is newer than six hours.

By the Numbers
$77.50: Amount California small-claims court awarded Ellen Spertus when she sued Kozmo.com for sending spam after she opted out

$4.26: Amount Spertus collected

$27.50: Amount she spent in legal fees

483,000: Hits on Google for "stop spam"

16,500: Square footage of official Austin, Minn., Spam museum


When mail arrives from a server that is on a blacklist, you have some handling options. For instance, the incoming message can be refused, or it can be rerouted away from the user. Also, most mail servers optionally will send a message back to the original sender, assuming his or her return-to address hasn't been forged, stating that the mail server has been blacklisted and your organization won't accept his or her mail.


Of course, as you can see from "A Day in the Life of an E-Mail Administrator" (page 63), a return message about blacklisting often causes confusion, but we feel this step is necessary so that senders understand their mail isn't getting through to your users and can open a dialog with you to see what can be done. Consider the wording of your return message carefully to avoid any unnecessary confusion.

Blacklists, when used in the right combination, are a great defense mechanism. We use MAPS, SpamCop and Spamhaus, and that combination is about right for our users--we don't get many complaints from legitimate mail senders, and we're able to block thousands of spam messages a day. Some lists are stricter than others, increasing the risk of blocking legitimate mail, and some don't do enough to block spam. Your mileage will vary depending on your users' needs; it's a good idea to research prospective blacklists to find where they are on the spectrum.

Because these lists are maintained by their creators, administrative overhead is low. Each list does require a DNS lookup per list per message (we do three DNS queries per message plus a reverse DNS lookup to make sure the server is really who it says it is) so there is some expense on the server side in terms of CPU cycles and on the network to perform the lookups.

And Now for Something Completely Different

Another type of DNS lookup service, currently in beta tests by IronPort Systems, makes use of a whitelist. A whitelist identifies servers that can always deliver mail to your users. IronPort's Bonded Sender Program is a good example of a third-party-managed whitelist.

Let's suppose for a minute that you're a business, say AT&T Broadband, and you want to send messages to your users periodically, for example, about rate increases. If your outbound mail server's IP address is on your inbound mail server's whitelist, there's no problem. But what if you don't have a whitelist and don't subscribe to IronPort's Bonded Sender Program and your filter software decides that all the rate increase notices are spam and drops your 64,000 pieces of mail into the bit bucket? Then you're embarrassed--and that's exactly what happened to AT&T Broadband in May.

IronPort's idea is that large e-mailers with legitimate business needs can post a bond, the size of which is determined by the amount of mail being sent. ISPs and corporations that subscribe to IronPort's whitelist allow all mail that has been bonded through to their users. Spam complaints about those messages generate fines that are paid from the bond. The more complaints, the more money comes out of the bond piggy bank. Where do the fines go? According to IronPort, they are donated to nonprofit antispam organizations.

On Jan. 2 a state appeals court upheld a 1998 California law that requires e-mail advertisers to identify their messages as such and to provide ways for consumers to remove themselves from the advertisers' e-mail address lists or face a $1,000 fine (see "State Cour of Appel upholds Bowen's Anti-Spam Law")


Ingredient 3: Varietal Filters


Besides you and your users hitting the delete key hundreds of times daily, your last line of defense is filtering software. We break this category down into three distinct groups: client-based filtering, server-based filtering and outsourced filtering.

The client-side products generally plug in to your e-mail client, usually Lotus Notes or Microsoft Outlook or Outlook Express, or connect directly to your MAPI or POP3 mailbox. These products are based on an updatable list of client-side rules that filter based on sender, subject or an analysis of content. Two packages in this category that we looked at while preparing this article were McAfee.com's SpamKiller, which works with any MAPI or POP3 account, and Sunbelt Software's aptly named iHateSpam, which works with Outlook in MAPI, IMAP or POP3 mode or Outlook Express in POP3 or IMAP mode. These packages run $20 to $30 and don't consume any server resources. Additionally, each user can customize the product to his or her heart's content. The downside is that your mail server still has to process and deliver each piece of spam, your users' ability to roam from one computer to another is severely limited if they want their spam processed, and you've now distributed your support issues to each user's computer.

During our use of both of these products, we found that some legitimate mail was moved to the spam folder while some spam slipped through the cracks. The result of this less-than-perfect accuracy was that we ended up examining each message anyway, which somewhat defeated the purpose of the product. The benefit was the timing--because the messages suspected to be spam were moved to a separate folder, we could examine them during work lulls or in the evening, giving us more time to deal with legitimate mail during the day. In addition, these products "learn," so their performance improves over time.

Server-based filtering products run the gamut from commercial software, such as Brightmail's AntiSpam, Vircom's VOP modusMail and SurfControl's E-mail Filter for SMTP/Exchange, to the freely available, PERL-script-based SpamAssassin, to outsourced solutions such as Postini's Active EMS. These products are more sophisticated versions of their client-based brethren, operating on e-mail as it enters the server rather than after it is delivered. If you implement a server-based product, your users are freed from the responsibility of managing their own antispam measures, and support issues are centralized.

Web Links
"Users Fight Back Against Spam Epidemic" (InformationWeek, May 6, 2002)

"Can IT Can the Spam?" (TechWeb, April 24, 2002)

"Mobile Industry Wants Less Spam Served" (InformationWeek, March 25, 2002)

"Businesses That Abuse Consumer Privacy Will Pay" (InformationWeek, Feb. 28, 2002)


Before you start with one of these products, make sure you can tailor its spam-filtering activities for various user groups. Your sales folks may want to receive all their mail unfiltered--the cost of their missing an important message due to a false positive can be high--while your engineers may want to filter 110 percent of their mail. In addition, these products require the most CPU cycles of any of the antispam measures we've discussed because they examine each and every message--including headers, contents and attachments--before they pass them on or reject them.


Which brings us back to our original point: If a relatively inexpensive DNS lookup can reject a majority of your inbound spam before the workhorse, server-based filter products start eating your CPU cycles, your entire e-mail infrastructure will benefit from greater scalability. And considering that spam is projected to increase at a rate of 100 percent per year for the foreseeable future, scalability is a critical concern.


Executive Summary

Our NWC editors list was recently forwarded a reader query: "What I want to know is where to report spam when it hits ... particularly porn. I've been getting bombarded with unwanted e-mail with horrid content. The senders use a random number in their e-mail address, so I can't block the addresses they use. How do you deal with something like this?"

A number of our editors weighed in. Some responses aren't fit to print in a family publication. Others recommended SpamCop.net, asking his ISP for help, SpamCon and the FBI. But the overriding message was: We feel your pain.

Network Computing has pretty good success in blocking spam. We advocate a three-pronged approach: Rules, blacklists and filtering software. Still, about 50 junk messages per user per day slip through the cracks. And given the truly frightening spam proliferation estimates that we're getting from analysts, the battle is far from over.

You might say, if you can't beat them, sue them. Some states are making it easier to do just that by passing laws regulating mass e-mailing. But spammers are slimy, slippery types, and they're fighting against legislation. What can you do? Encourage the passage of laws regulating mass junk e-mailings (see "The Law of the Spam,", for a list of proposed legislation) and follow our recipe for stamping out spam.


The Law of the Spam

Nobody likes a spammer. Enterprises hate them because of the hit on their mail servers. Parents hate them because they don't want their kids getting ads for Viagra and live co-ed Web-cams. So it stands to reason that spam is a natural target for politicians. Indeed, 25 states have passed legislation governing spam. But how sharp are the teeth in these laws, can you use them to reduce the amount of junk e-mail you receive, and where are the feds?

The short answers are: Not very, not yet and out to lunch.

Many states don't prohibit spam outright; instead they take aim at false and deceptive marketing practices. But fraudulent spammers make up only a fraction of the whole. And where states regulate spam directly--California, Delaware, Minnesota--jurisdiction and enforcement are problematic. Spam extends beyond states into the national and international arenas. Most state laws affect spammers that "reasonably know" that the intended recipient is a resident of the state. If you get past this stumbling block, the next step is bringing the spammer to justice. For every one you go after, there are 10 in the bush. Thus, enforcement becomes the exception, not the rule--so much for teeth. But at least the states are on the playing field. The feds are still in the dugout.

The S Files

The most promising federal legislation sharpens the ability of the Federal Trade Commission to go after fraudulent e-mail. H.R. 718, introduced Feb. 14, 2001, was moved out of the Committee on Energy and Commerce (Report 107-41;) and placed on the House of Representatives' calendar for consideration and debate. Among other things, H.R. 718 amends the federal criminal code to provide penalties for intentionally transmitting 10 or more unsolicited commercial e-mails with the knowledge that the messages contain false or misleading information on the identity of the sender. It also provides ISPs a course of action for damages against persons in violation of the proposed act and directs the attorney general to order spammers to stop sending e-mail containing sexually oriented advertisement and to delete the names and e-mail addresses of the parties who received such advertisements.

We're sure Attorney General John Ashcroft will go at this with a vengeance, but H.R. 718 falls sadly short of the mark that the European Parliament hit when it issued a Directive to member states prohibiting unsolicited commercial e-mail and the use of cookies without the explicit permission of the recipient. In effect, the EU has put in force an "opt-in" system for e-mail as well as facsimiles and automated calling systems. The opt-in requires marketers to get permission from recipients before they send unsolicited commercial advertisements. Note that EU Directives bind member states to end results. The means to those ends are left to individual members.


To match the EU's Directive, Congress should amend the Telephone Consumer Protection Act (P.L. 103-243) to include an opt-in system for spam. The act recognizes that unsolicited telemarketing campaigns and commercial facsimiles are costly nuisances to consumers and invasions of privacy. It prohibits automated telemarketing calls and bans unsolicited commercial facsimiles. Extending the act to prohibit spam unless the recipient opted in would acknowledge that spam costs recipients money too--for the storage of unsolicited commercial advertisements and the time lost in accessing, reviewing and discarding it.


Congress' failure to act continues to make the Internet an unfettered medium for businesses to advertise, short of fraud. Until the feds enter the game for real, spammers will continue to flood our inboxes with ways to lose weight, increase sexual prowess and reduce our mortgages, held in check only by a patchwork quilt of state laws and filtering technology. Given that reality, we can only hope that filtering technology improves.

What Does This Mean to You?

As an IT professional you need to make your voice heard. Contact your lawmakers and tell them you support these bills. Go to Congress.org and Senate.gov for contact information. You can even go all the way to the top: E-mail George Bush at president@whitehouse.org. You can track bills by number at thomas.loc.gov/.

--Sean Doherty, sdoherty@nwc.com


A Day In the Life of an E-mail Administrator

What follows is an actual e-mail exchange. Only the names were changed to protect the innocent:

-----Original Message-----

From: Innocent e-mail user

Subject: Why was my e-mail blocked!

Dear Blacklist-admin:

I am a public relations professional who recently sent a single press release to one of your users from my Bell Atlantic (Verizon) mail account and received the following mail rejection message:

Recipient: <myuser@myserver.com>

Reason: The mail server you are SENDING FROM is listed on an international blacklist. Your message was rejected. Send your questions to blacklist-admin@myserver.com.

I fail to understand how my mail server (Verizon) is on an international blacklist. I am not a spammer. Please advise how I am supposed to communicate with MyUser in the future.

Sincerely, Innocent e-mail user

----- Original Message -----

From: blacklist-admin@myserver.com

Subject: RE: Why was my e-mail blocked!

Innocent e-mail user,

I'll look into it. Can you tell me what day and what time you sent the message to MyUser? Blacklist-admin

-----Original Message-----

From: Innocent e-mail user

Subject: Re: Why was my e-mail blocked!

Hi Blacklist-admin,

Thanks for your response. I sent the e-mail to her about 4:30 on Friday afternoon. Hope this helps. Innocent e-mail user

----- Original Message -----

From: Blacklist-admin

Subject: RE: Why was my e-mail blocked!

Innocent e-mail user,

One of the "real-time blacklist" services I use to help control the amount of spam my users receive does list the server from which you sent your mail (out003pub.

verizon.net, as a known source of SPAM. You can see the spam report for your server at: http://spam cop.net/w3m?action=checkblock&ip=

Note that SpamCop is a dynamic service. Today, out003pub is not listed. It was listed from July 11 to this morning because of the amount of spam that was reported coming from that server during that time. Based on its history, it will no doubt be listed again soon.

Also, an article from last August in CNET.com shows that Verizon's servers have a long history of serving as open relays for spam: news.com.com/2010- 1080281540.html?legacy=cnet

I checked this same issue last night and a year later, out003pub.verizon.net is still an open relay. This means that anyone can use these servers to send spam--that's why traffic from verizon.net is blocked by many spam blacklists, including the ones we use.

Thanks, Blacklist-admin

-----Original Message-----

From: Innocent e-mail user

Subject: Re: Why was my e-mail blocked!

Hi Blacklist-admin,

Thanks for the explanation. I understand now how it is determined who gets blocked. Unfortunately, it appears that these spam-filtering programs eliminate anyone who uses a given service provider's systems. I'm sure millions of people use Verizon. What you are saying is that my e-mails will be filtered out by the spam program you use because spammers also use Verizon. Seems rather archaic, inefficient and unfair to me. I've heard of other programs that filter out mail based on other criteria. The danger in using your program is that legitimate mail that your editors want to receive will be rejected out of hand.

Innocent e-mail user

-----End of messages-----

Sadly, Innocent e-mail user is right: The system is archaic, inefficient and unfair. But our users love the fact that the amount of spam they receive is reduced significantly. That's the bottom line.

  Services What We Offer Areas Covered Rates & Discounts
Estimates Maintenance Plans Links Phone Tech Support
About Us Refer A Friend Why Us? Reference Dictionaries Tutorials
Privacy Policy Service Protocol Disclaimer Contact Us

Web Page Designed By  ADAM
Copyright 1981 - 2008
MINDPRIDE CONSULTING All rights reserved.
Revised: November 21, 2007