|
How to Win the War against Spam
70% of all e-mail is spam. Newsletters you did not sign up for, porn and medicines you don't want, phishing attacks, worm mail and random marketing messages. All of it needs to be stopped before it enters your network. But how?
Thursday, August 04, 2005
Spam is universally agreed to be unsolicited bulk e-mail. This mail may or may not be of a commercial nature. The usual purpose of sending out such mail is for marketing.
One of the more recent uses of spam is using it for disinformation. As an extreme case, it can become a tool for corporate or political misinformation. Spam could also be a potential weapon in
cyberwarfare.
Sometimes, spam has more sinister purposes-of bringing down mail servers and networks by bombarding them with useless messages. This is also called 'mail bombing' but the messages sent are spam. Or it could be used in phishing attacks or similar scams.
 Though not relevant to this story, the word 'spam' has two other meanings. One
is the attempt by 'search engine optimization' operators (SEOs) to gain higher search-engine rankings by repeatedly submitting the same content with variously disguised URLs.
The other and original meaning has to do with a brand of canned pork, from Hormel stands for 'Shoulder of Pork
And Ham'.
Identifying spam The basic foundation of the idea that you can eliminate spam comes from the fact that spam is identifiable. Further, a mere 200 operators around the world are responsible for about 80% of the spam that lands in your mailboxes. And every one of them in known and documented.
But if all this is true, how come these operators are still around? What they do is register to a set of domains, buy ISP services to spam from, and send out millions of e-mail in about three months' time.
| How PCQuest helped reduce spam from India |
|
It is quite possible that there are spammers sitting on your ISPs network and spamming the rest of the world, including you. An easy place to start finding this out is at the Spamhaus Block List
(www.spamhaus.org/sbc). Here select ISP by country (lower right of the page), select India and say Display. You will get a list of Indian ISPs who are currently being used by spamming setups. A yellow colored entry indicates a ROKSO listing, and is one of the 200 spam operators, who contribute 80% of the world's
spam, and who have already been terminated by atleast three ISPs for spamming.
What follows is the procedure we adopted in informing the ISP about the listing (it is unlikely that the ISP does not know, but some follow-up helps), that got many of these spamming operations stopped.
First, we identified who are the administrative and technical contacts for the ISP's domains (from the registrar with whom their domain names are registered). This is fairly easy, and can be done at
www.dnsstuff.com. Simply enter the name of the ISP's domain, say mtnl.net.in in the whois text box on the page, and you will get the domain details. You may need to click on an additional link to reveal the complete e-mail address of the contacts. What we did next was fairly simple. We took a sample of the ISP's listed and sent a simple e-mail to the two contacts attaching a screenshot of the listing asking for their comments for this story. Many of the ISPs that we wrote to, quickly acted to get the accounts of the spammers suspended and to get the SBL records removed.
| Listings
removed |
ISP's
who did not respond |
| Reliance |
Bharti
Broadband |
| Sancharnet(BSNL) |
Spidernet |
| Spectranet |
Shyam
Internet |
| Sify
Corporate |
Ernet |
| Satyam
Infoway |
Exatt |
| MTNL
and Iquara have had their SBL listings partly removed. Estelcom had
many rounds of discussions with us (see separate piece on Top
spammer), but the listings continue as is. |
|
Now, you may not be able to do the same thing; that is to ask for their comments for a story. But if enough users write to the ISPs, asking them to remove spammers from their network, the ISPs will be forced to act. If you know anybody in the concerned companies, writing to them also will definitely help. You could also write to the Directors or Chairman of the company.
ISP's can use their FUP (Fair Use Policy) to terminate services to spamming operations.
|
|
Then they set up another set of domains and jump to a different set of ISPs. At a time, each of them have dozens of domains and aliases running.
The best part seems to be that they need not even be in the same area as their ISP and the ISP is either clueless about the whole thing or chooses to turn a blind eye to what's going on.
Anti-spam measures
So, what are the resources and solutions available to you to eliminate spam? We have identified a few key concepts and solutions for you that are both easy to implement and are not very costly either. Anti-spam arsenal can be broadly classified into three categories-prevention techniques that avoid your addresses getting onto a mailing list, solutions that can help you deal with any spam that arrives and resources you can turn to for further research or help.
One way to win the war against spam is to avoid getting it altogether. To do this, your IT policy must strongly state and force implementation of a few simple mechanisms. These are nothing new and have been known and well-documented from the early days of spam. This first of these is: never provide your e-mail addresses on a public 'Web page'. A 'Web page' can be hosted on a website, a forum or a newsgroup. Humans no longer need to physically harvest addresses from a Web page. Automated programs called 'bots' roam the Web, pulling pages and scanning them for e-mail address like patterns. These are logged into mailing lists that are then exchanged with other spam operators. Thus, your biggest problem is eliminated if these bots don't get hold of your e-mail address.
There are situations when you would want someone to read a Web page to contact you. Web forms that allow the visitor to
write back to you is the best way, since the recipient's address is never revealed.
Solutions
All major mail servers have vendor-provided or third-party applications that
filter out the spam. For Exchange, there is Service Pack 1 (on the PCQEssential CD), besides applications from Hexamail, GFI MailEssentials, Cloudmark and BitDefender among others. Domino has (again) BitDefender, SpamEraser and MailFlower. SpamAssassin supports procmail, sendmail, Postfix and qmail among others.
There are appliances like the IronPort C10 (see review in this issue) that specialize in mail filtering. There is software that work with the major mail servers. Notable among these are Symantec BrightMail AntiSpam, Norton AntiSpam and MessageLabs AntiSpam 4.0. An Indian solution, SpamJadoo claims to stop spammers by 'locking' your e-mail address (we haven't tested it yet). SpamJadoo also provides virtual e-mail addresses that you can use to subscribe to newsletters or use for temporary purposes. These addresses can be monitored or even turned off when their need is over. The MessageLabs hosted service claims 100 % filter rates.
| Anti-spam technologies |
|
Four main technologies are currently being positioned to combat
spam. All of them are still in their infancy and none has gained enough maturity
at this time to say which is better. For details, read New Techniques to Fight Spam,
PCQuest, page 20, November 2004.
Authenticated e-mail
http://www.dwheeler.com/essays/email-authentication-ftc.html
When mail is received, the server sends back a challenge asking the sender to verify the mail. Non-verified mail is bounced.
Yahoo DomainKeys
http://antispam.yahoo.com/domainkeys
Signs e-mail sent with public/private key; recipient compares key, rejecting
e-mail that has invalid or missing keys as 'possible spam'. Prominent users: Yahoo Mail,
Gmail.
Sender Policy Framework (SPF)
http://spf.pobox.com
This is a concept used by Sender ID (see below), where a domain publishes a list of servers allowed to send mail for that domain. Recipient servers then use it to check if the mail is legitimate or not.
Microsoft Sender ID
http://www.microsoft.com/mscorp/safety/technologies/senderid/default.mspx
Sender-server addresses are validated against a list of allowed servers for that mail-domain. Prominent user: Hotmail.
IBM FairUCE
http://www.alphaworks.ibm.com/tech/fairuce
First an attempt is made to verify sender server using cached DNS lookups. On failure, a challenge/response is attempted. On repeated failure, mail is
classified as spam. Still under development, no known users yet.
|
|
You and your ISP
Is a lot of your mail is not reaching the recipients? The reason could be that they are bounced as spam, because of previous spam activity. Puzzled? Head over to a block-list and query this IP address. Chances are that you'll find it listed there. Sometimes, your company may do legitimate mailing. Now, if a significant number of your mail recipients report such mail as spam to one of the blocklists, the outgoing IP address(es) start getting blocked by mail servers. A lot of times, you as the IT department are not aware of such mailing. Therefore, it becomes more critical that you check the listings periodically to ensure you aren't listed. If you are, when you take corrective action, you are removed .
When you buy your IP address, check if it is listed in a block list. If it is, your ISP must get the address removed. This brings us to a new issue. How cooperative is your ISP in getting your spam problems solved? As we said earlier, the ISP has a crucial role to play in the war against
spam!
Remember that if they are allowing spammers to freely operate out of their network, they maynot act to solve your spam problems.
Krishna Kumar and Sujay V Sarma
|
Print
Comment
Email
Digg
Del.icio.us
Reddit
Twitter
