The following is a newsletter from a computer magazine that I subscribe
to. I hope you will find it informative. Also, I tried to reformat it to
plain text. If any of you have a problem with the way it turns out, feel
free to tell me about it.
Kevin E. Ramsey
ramsey@extremezone.com
The Spam Scourge
Keep Your Inbox From Becoming Congested
Dear Kevin E,
Television has its infomercials, junk mail gets delivered to your door
every day, and even fax machines occasionally receive unsolicited faxes. So,
it should come as no surprise to anyone that the marketers who come at us
through our televisions and our mailboxes with their can't-miss offers and
once-in-a-lifetime opportunities have successfully exploited the new
frontier of electronic mail communications.
Spam, also known as UCE (unsolicited commercial e-mail), is a part of
the information technology revolution that most of us would rather do
without. And the numbers reveal the problem is getting worse, even as end
users, ISPs (Internet service providers), and Congress fight back.
In a recent news item, Cyberatlas (http://cyberatlas.internet.com)
quoted an eMarketer report that revealed some amazing statistics about
e-mail and the volume of spam clogging up the Internet.
The report showed that in 1998, 9.4 billion messages were sent in the
United States, and 7.3 billion of those messages were commercial. Of the 7.3
billion commercial messages sent, 7 billion (96%) were estimated by
eMarketer to be UCE. The problem continues to get worse as spammers
continuously figure out how to get around the various technological and
legal barriers that have been erected to stem the tide.
Everyone has something to say about spam, especially Internet users.
Various surveys clearly show the vast majority of people who use e-mail at
home and at work intensely dislike spam. So, what can you, as an e-mail
user, do to avoid spam? How do you get rid of spam if your inbox is filling
up with unsolicited e-mail? Are there any technological or legal remedies
you can apply to alleviate the problem?
We'll take a look at the spam problem and show you some techniques to
avoid getting spammed. Also, we'll take a look at remedies being applied by
the government and show you some effective ways to fight back.
Avoid Spam. Spammers are persistent, and it doesn't take them very
long at all to zero in on a victim. Raymond Everett-Church, Senior Privacy
Strategist and ePrivacy Group Counsel for CAUCE (Coalition Against
Unsolicited Commercial E-mail) and a well-known privacy-rights advocate,
said most new e-mail accounts have a 33% chance of receiving spam in the
first year of use.
After one to two years, Everett-Church added, spammers' chances shoot
up to nearly 100% of reaching that account's inbox. If your current inbox is
choking with spam and you've decided to establish a new e-mail address,
you've got a few months to figure out a plan of action to minimize the spam
you'll inevitably receive.
Cruise in stealth mode. Most people choose an easily remembered
username, something like john_smith@yahoo.com or Maggie@hotmail.com, when
they create an e-mail account. However, easily remembered e-mail usernames
are also easily recognized by the newest software tools used by spammers to
get fresh addresses into their mailing lists.
One of the newest approaches, said Everett-Church, is dictionary
spamming, a brute force technique that randomly generates millions of letter
and number combinations for building a list of possible e-mail addresses
hosted within a well-known service, such as Yahoo! or Hotmail. Although this
sledgehammer approach typically results in thousands, if not millions, of
messages bouncing back as unrecognizable addresses, a percentage of the
generated list will be actual e-mail accounts.
Use a random combination of numbers and letters as your e-mail
username, Everett-Church indicated, to increase your chances of avoiding
detection by spammers. You can also choose a small, local ISP for e-mail
service or else register and host your own domain so you can create an
e-mail address within your domain name, such as john1 @johnsmith.com.
Be careful where you hang out. Another technology used by spammers to
collect e-mail addresses is harvesting. As the name implies, harvesting lets
spammers collect thousands of fresh e-mail addresses from sources, such as
newsgroups, chat rooms, and even Web sites. Essentially, spammers use
software programs that search newsgroups and chat rooms for e-mail
addresses, which are typically required information a user must submit to
participate in these activities.
The solution to this problem, according to Everett-Church, is simple:
Avoid using chat rooms and newsgroups. This solution is strong medicine, but
your best bet for avoiding detection by a harvesting program is to make
yourself scarce.
However, if chatting or posting to newsgroups is a big part of your
online experience, you may want to set up a separate e-mail account just for
registering in chat rooms and newsgroups. Of course, this second address may
soon become clogged with spam, but at least your main e-mail address will
remain unscathed.
The same warning goes for using your e-mail address to complete Web
site forms or in Web-based newsgroups or chat rooms. Spammers have recently
developed, Everett-Church warned, software tools that let them pluck e-mail
addresses out of the Web. So even vanilla Web surfing is not immune from the
spammers' reach. Avoid entering e-mail information if at all possible or
else set up another e-mail address to use for entering Web-based
information.
Instant aliases. Avoiding participation in chat rooms or newsgroups
can severely curtail your online habits. However, there is a way to continue
using the Internet the way you want and keep from getting harvested.
A service called Mailshell (http://www.mailshell.com) lets you set up
unlimited e-mail aliases. Instead of using your own e-mail address to
register at a Web site or participate in a chat room session, you create a
new, disposable e-mail address on the fly.
To begin the process, you register either a domain (such as
johnsmith.com) or a subdomain (such as johnsmith.mailshell.com) with
Mailshell. The only difference between registering a domain and registering
a subdomain is that registering a domain costs approximately $30 a year and
gives you access to extra premium services, including virus scanning and
50MB of storage space, as opposed to a simple subdomain account without the
extra services.
Once you create your domain or your subdomain, you simply make up the
username part of the e-mail address whenever you need to supply an e-mail
address. So, if you are posting to a newsgroup, you can use an e-mail alias,
such as newsgroup-1@johnsmith .mailshell.com.
The advantage is you never have to supply your main e-mail address
again. The Mailshell system will store all e-mail you receive from your
various aliases and will let you either retrieve mail directly from the
Mailshell servers or forward it to your principal e-mail address.
Whenever an alias e-mail address you've created gets clogged with
spam, you delete it. In a way, the Mailshell service creates a protective
proxy that insulates your true e-mail address from the rest of the Internet.
Stop The Flow. Becoming a cybernomad and changing e-mail addresses
frequently may not be your cup of tea. You may have an extensive contact
list and don't want to have to notify everyone every time you change
addresses. Also, even though your inbox is bursting at the seams with spam,
you may receive content you actually care about and read.
Changing e-mail addresses frequently will result in multiple visits to
Web sites where you have subscribed for content, such as newsletters,
alerts, and reminders. E-mail is becoming so prevalent nowadays that the
list of places where you may have submitted your e-mail address is probably
unmanageable. In fact, many Web sites require that you enter your e-mail
address when you register for products or services.
It makes a lot of sense to be able to maintain a steady e-mail
address. Besides, why should you be inconvenienced because of someone else's
intrusive and unwelcome actions? If you want to make your stand and fight
back, here are some tips for doing just that.
Filter out the junk. Many ISPs use sophisticated software tools,
called filters, to weed out UCE based on characteristics such as content,
message subject, author, and header information. A lot of this functionality
is also available for the end user. If you want to eliminate spam from your
inbox, a software-filtering tool is a good place to start.
The first place to look for filtering capabilities is in your own
e-mail software. Most common e-mail packages, such as Pegasus Mail, Eudora,
and Outlook, use rule-based filtering to help you sort through your mail
more effectively. For example, you can set up a rule to copy messages from a
certain individual into a mail folder as soon as the message is received by
your e-mail program.
Rule-based systems also let you filter out unwanted e-mail by sending
it straight to the trash. The implementation of this feature varies from
e-mail program to e-mail program, but at its core, it all works the same
way. You enter the characteristics that differentiate the unwanted mail from
your regular mail, such as author, subject, content, or domain information.
Then, you tell your e-mail program what to do if a message meets the
criteria.
There's a disadvantage to this approach, however. As the flood of spam
continues, you must continually update your rules to include messages that
come from new sources of spam. Microsoft Outlook, for example, has a
built-in junk-filtering system that lets you add messages to a Junk Senders
or Adult Senders list.
The problem here is that it is up to you to continuously add new junk
messages to this list every time a spam is received. This method is reactive
because you must first receive the spam to be able to block any subsequent
messages from the same source.
To make matters worse, spammers are getting very good at eluding
filters by constantly varying the content and address information in their
messages. You can set up your mail system to block a spammer's message from
a particular e-mail address, only to find out the same content got around
your rule a week later because the spammer changed the From header in the
message to a new address. You'll soon discover spammers have no qualms
whatsoever about falsifying header information so a message's From field
might display an address that doesn't even exist.
Kill Spam. If your e-mail program's filtering tools aren't cutting the
mustard, you may want to take a look at a third-party spam-blocking utility.
These are programs specifically written to ferret out unwanted messages from
your mail server before they ever have the opportunity to slide into your
inbox. As such, these filtering programs act as the intermediary between
your inbox and the mail server. We looked at one of these utilities,
Novasoft's SpamKiller (www.spamkiller.com).
SpamKiller works by monitoring the e-mail messages that come into your
mail server and filtering those messages using an extensive set of default
filters. These filters then look at a message's author, subject, message
text, country of origin, and header information, and if any of the message's
contents match one of the standard filters, the message is automatically
placed on a Kill list.
You can also vary the effect of these filters so messages can be
marked, accepted, or killed only after you use the program's complaint
feature. Also, you can point to a message and click the filter button. This
feature walks you through the creation of a custom filter based on any part
of the message, such as the subject, the message text, or header
information.
Novasoft continuously updates its filter lists, and SpamKiller can be
set up to automatically connect to Novasoft and download new filters.
One of SpamKiller's best features is the automation of the complaint
process. To complain, select a message from the Killed messages list and
click the Complain button. The complaint window features a Domain list box,
an Administrator list box, and a Message combo box containing standard
complaint messages.
You first select the domain name where you want to send the message
and then type the administrator function (abuse, postmaster, or Webmaster)
that will receive your complaint. The program automatically retrieves the
domain information out of the message's headers. Once you select one of
these administrator functions (or, you can select All) click the Look Up
button.
SpamKiller verifies the correct e-mail address for the selected
administrator function and adds it to the administrator list. You then click
the Add button to add the verified address to the list of recipients for
your complaint. Finally, you can select from three different complaint
formats in the Message combo box: Administrator, Error, or User. Once you've
entered all the settings and verified all the addresses, click OK to send
the complaint.
SpamKiller worked as advertised and effectively blocked out spam
coming into the spam-infested e-mail account we set up as a test. If
anything, SpamKiller was a tad on the overenthusiastic side with its
filtering. It filtered as spam an order confirmation from a software company
simply because it found an XXX character string in the text. The order
confirmation's crime was that it contained a credit card number that the
software company partially hid with Xes.
We used SpamKiller's Rescue button to send the message back into our
inbox, and we modified the filtering system so any further messages from
that particular company would come through.
Recruit Your ISP. ISPs share your frustrations with spam. Recruit your
ISP to join your battle to rid your inbox of unwanted messages.
Begin with a request for the ISP to install filtering software or
other mechanisms to block out UCE from its servers. Everett-Church pointed
out that getting adept at perusing a message's raw header information is a
good way to learn the identity of the spammer's ISP. Header information is
hidden by default in most e-mail programs, but it's usually very easy to
view this information.
For example, in Microsoft Outlook 2002, open the message you want to
inspect and click Options from the View menu. The Message Options windows
will launch, and at the very bottom, you'll see a text box labeled Internet
Headers. This text box contains the information about the message you'll
need to study to prepare a complaint. Specifically, you will want to pay
attention to the Received header; this header shows you the provider your
ISP received the unsolicited message from.
You may find that a message contains multiple Received headers in
cases where a spammer uses multiple ISPs to forward mail. These ISPs in the
middle of the communications chain may be particularly interested in
learning about a spammer's traffic because more than likely they are not
aware the spammer is using their service to send or forward unsolicited
mail. To learn more about dissecting header information, go to
http://www.cauce.org and browse its FAQ section.
How About Opting Out? You may wonder if anyone has developed an
opt-out database, a master list of people who choose not to receive UCE.
Some attempts have been made and all, unfortunately, have met with, at best,
very limited success.
"The Direct Marketing Association," Everett-Church pointed out, "has
tried to set up a 'do not e-mail' list; however, it has largely been a
failure." Also, he added, many lists pretending to be opt-out databases are
actually run by spammers who use the names collected in those lists to
populate their own mailing lists. Be very careful about adding your name to
a list purporting to be an opt-out database. At best, it will be
ineffective, and at worst, it may actually increase the amount of spam you
get.
Efforts To Stop Spam. The spam problem has become pervasive enough
that both state governments and the federal government have joined the fray.
Spam imposes enough of an economic cost that many ISPs and even end users
are pressing the Congress for action. Although a few previous attempts at
legislation have died before becoming law, both houses of Congress currently
have pending legislation to address the spam problem. Two of these bills are
S 630 and HR 95; both bills, according to CAUCE, are very different in their
approach to the problem.
S 630. This Senate bill, also known as the CAN SPAM Act of 2001, was
authored by Sens. Conrad Burns (R-Montana) and Ron Wyden (D-Oregon). S 630
seeks to amend Chapter 63, Title 18 of the USC (United States Code) by
adding section 1348, which will impose both monetary and jail penalties on
spammers who willingly send UCE containing false header information to
protected computers.
The bill also prohibits the transmission of false or misleading
information in UCE, prohibits deceptive subject headings, requires the
inclusion of a valid return address in a message, prohibits transmission of
UCE to a recipient who has opted out from receiving messages, and requests
that senders include language that identifies the message as UCE, a physical
address, and an opt-out e-mail address in their transmissions.
The bill places enforcement responsibility on the FTC (Federal Trade
Commission), ISPs, and state attorneys general. An ISP who suffers a
monetary loss attributable to a spammer has the right to collect damages up
to $10 per spam up to a maximum of $500,000.
Everett-Church has analyzed various Congressional bills for CAUCE, and
he is not very enthusiastic about this one. First, he explains in an
analysis posted on the CAUCE Web site (http://www.cauce.org), the penalties
are low enough that only the most egregious damage will cause an ISP to
actually pursue monetary compensation.
Also, consumers are kept out of the enforcement loop. More often than
not, a violation has to be damaging enough to catch the attention of a state
attorney general for enforcement. The state attorney general, acting in the
interests of the residents of his state, would have to bring suit against
the spammer. The bill's only protection for consumers, Everett-Church
argues, is the chance to opt out of a mailing list by responding to a valid
e-mail address.
HR 95. The Unsolicited Commercial Electronic Mail Act of 2001 is
sponsored by Rep. Gene Green, a Democrat from Houston. This legislation
requires that UCE contain a "conspicuously displayed," valid e-mail address
that recipients can use to opt out of further communications with the
spammer.
The act also prohibits spammers from sending UCE to recipients who
have opted out and chosen to terminate the business relationship between
sender and receiver. In addition to an opt out choice in the form of a valid
e-mail address, UCE senders are also required to clearly identify their
messages as "unsolicited commercial mail."
An important part of the bill is the provision in it that gives ISPs
the right to establish a policy, communicated via Web posting and via a
"technological standard adopted by an Internet standards setting body," that
clearly establishes the status of the ISP as an entity that does not wish to
receive UCE. This is important because it creates a way for ISPs to be
proactive instead of reactive to the spam problem by devising a
technological solution that will warn a spammer about the ISP's no-spam
policy.
CAUCE has endorsed the use of an SMTP (Simple Mail Transfer Protocol)
banner for ISPs to disclose anti-UCE policies to potential spammers. SMTP is
the protocol used by e-mail servers to communicate with each other so the
spam policy information would, according to CAUCE, be transmitted every time
a spammer's site connected to the ISP's mail server to transmit UCE. The
spammer thus receives fair warning that further attempts to transmit UCE
through that ISP are illegal. HR 95 also protects ISPs who unknowingly
transmit UCE through their systems and also those who make a good-faith
effort to block illegal traffic.
Finally, unlike S 630, this bill provides both recipients of UCE and
ISPs a "private right of action" to pursue violators of the act and recover
any monetary damages suffered up to the amount of the actual loss or at a
rate of $500 per violation, not to exceed $50,000. Consumers are not only
protected by the various provisions of the act; they also have the right to
sue for damages in the court system.
Curb The Junk. The flood of spam will continue as long as people and
businesses use e-mail to communicate. Legislation will help, but as the rest
of the world becomes technically savvy, we will see increasing amounts of
spam originating in other countries, outside of the reach of U.S. law.
As we've seen, technological solutions, such as filters, are a
temporary fix; spammers are a determined lot who will perennially figure out
ways to evade technological blocks. After all, e-mail is one of the cheapest
modes of communications ever devised. A spammer can send thousands, even
millions, of messages in a relatively short period of time, increasing the
chances that someone will actually purchase that "once in a lifetime"
opportunity or will choose to follow up on that "can't lose" investment
proposition.
If you believe P.T. Barnum's observation that there's a sucker born
every minute, then you have to believe that spammers will continue to
blanket the Internet in the hopes of snaring that sucker or two who will
make their day.
by Sixto Ortiz Jr.
This PTG archive page provided courtesy of Moy Piano Service, LLC