published

Since this page is under development, and not announced to anyone outside TISPA, no attempt is being made yet to finalize this into a glitzy professional presentation; much of the content here will just be a skeleton to be fleshed out later as I work out what is needed on these pages. Give me time; it'll appear.

Now, without further ado, to business:

Contents

• What is spam?
  • Unsolicited Email to users
  • Unsolicited Email to ISPs (abuse of contact lists)
  • Abuse of an ISPs facilities ("third-party spam")
  • Spam On Mailing Lists
  • Spam On Usenet (Good off-site link)
  • Spam On Search Engines (offsite link)
  • Metaspam: spam as a harassment technique
  • Spams to webmasters (for links, ads, malls)
• Why is it bad? (Good off-site link)
  • From an ISP's point of view
  • From a user's point of view
• Where did it come from?
  • spambots - usenet and mailing lists
  • email directories
  • ISP password files
  • review commands on listserv
  • abuse of majordomo who command
  • insufficiently protected majordomo lists at ISPs
  • web pages (manually and automatically and via search engines)
  • bought/shared from legitimate mailing lists
• What can we do about it??
  • Technical vs legal solutions
  • From an ISP's point of view
  • From a user's point of view
• The legal situation
  • Armchair legal thoughts (I Am Not A Lawyer, But ...)
    • Warnings, disclaimers
    • Solicited handling of junkmail - can't have your cake and eat it
  • In the courts
• Who is doing anything about it?
  • Organizations
  • Individuals
  • Companies
  • Assorted web links on the subject
• War Stories, Humor, etc.

The $64,000 question

Spam is information pollution. Spam is wasting people's valuable time. Spam is abusing other people's resources. Spam is making the recipient pay for the sender's business.

Well, I know it when I see it!

Spam is in many ways like pornography; there is currently no hard-and-fast definition of spam, but everyone likes to think they know it when they see it. Unfortunately, different people see different things, particularly if one person is a spammer and another is a spamee. In these pages we hope to come to a consensus of what exactly spam is, so that any new anti-spam legislation can be worded in a way that doesn't punish the innocent while letting as few of the guilty slip through the noose as can me managed. Here are several possible definitions of email spam:

• Anything in my mailbox I didn't ask for
  • Commercial email
    • Trying to sell you something
    • Trying to give you something (eg free web pages) (Good off-site link)
    • Trying to sell you something fraudulent (Off-site link)
    • Pyramid scams
    • Trying to sign you up for an MLM scheme/as an agent
    • A newsletter full of lots of people trying to sell you lots of things
    • Request for permission to send commercial email
    • Informative email not directly requesting money but giving you useful tips on finding ways to dispose of your money (stock tips, etc)
    • Charity requests
    • Junk mail faked to look like a mis-directed personal message to someone else
  • Non-commercial email
    • Religious messages
    • Chain letters
    • Hoaxes
    • "Warnings" (see hoaxes)
    • Political advertising (We haven't seen this yet but it will come)
    • Request for permission to send any of the above
• The same message sent out to more than <X> people
• A very similar message, slightly modified, sent out to <X> people
• <X> messages sent out within <Y> space of time
• Anything that gets a reply back to a provider saying "This message was unsolicited"
• Anything that gets more than &ltX>% of complaints back to the provider per <N> articles sent out
• Incompetent follow-ups to incompetent spams whose reply address is the list of recipients

You *really* should have known better...

A significantly large number of spams are addressed at ISPs trying to sell us software or equipment or technical support to make our lives easier. Yeah, right. You'd think spammers would have more sense than specifically target the most knowledgeable users on the net, but I guess no-one ever went broke underestimating the stupidity of the average spammer. Or a few ISPs if anyone ever took them up on any of these offers.

Anyway, the significant thing about these spams is that the address lists they use come from published lists of ISP contact addresses put out by various web sites and paper publications. These lists were created with the express intention of making it easier for a potential customer to find a suitable ISP in his area. In my personal opinion there's not a damned one of them worth the effort, and I've been trying (unsuccessfully) to get off all of them for over a year now. The reason being that for every genuine request for service, we've received maybe 100 unsolicited attempts to sell *us* something. That's not why we put our names on those lists. Frankly, I doubt if these lists benefit *any* ISP overall; they're specifically meant for finding *local* ISPs, and in almost all localities, there are much easier ways of finding an ISP than looking on the net for one (where you might be assumed to have an account already). Local word of mouth; local Yellow Pages; even the local library are all good ways to find a local ISP. In two years on all the big lists we've had 3 people signup who found us on the net.

That was just getting a rant off my chest by the way, I don't have anything positive to contribute here except that perhaps legal recourse may be necessary for people who advertise your services when you don't want them to or do so in a way which brings disrepute on you. I believe current law already has suitable remedies for this situation.

Actually, yes - there is a point to be made here: when a company advertises an address like "support@my-isp.com", it expects to get support email there. When junkmail arrives on that address - man hours are spent wading through the junkmail in order to get to the legitimate postings of users of the service looking for support. It would be nice to say that unsolicited commercial mail should never be sent to addresses that are for potential or current customers, but how could that ever be enforced? "support@..." is an easy one; but what about "staff@" or "sales@". Who decides what is obvious? What I do is attach a message next to my email address saying it is not to be used for solicitations and that answering mail for solicitations will be charged at $X/hr or part thereof - but by the time our email address ends up in one of those lists, that comment has been long lost.

Sue and be damned!

Personally, although I do my best to reduce spam by technical means (ADD: technical discussion) and a vain attempt to twist existing laws (ADD: standard spam reply), I genuinely believe that the scourge of mass spamming will only ever be handled properly when there is Federal legislation (See what happens with purely State legislation. Here too for more comments.) in place to make it illegal. However at TISPA we are concerned that legislation is often created under time pressure and as a result is usually too heavy-handed for the job: it may have an adverse effect on legitimate commerce and the business of ISPs. Consequently we want to develop in these pages sound guidelines which will be available to any potential legislator for use in drafting new bills against spam. (ADD: link to current new bill, with problems)

HOT NEWS:

Recently a Texas ISP was third-party spammed. This time we're fighting back: see the lawsuit that TISPA Attorney Pete Kennedy has filed.

Technical solutions:

TISPA is standing at the forefront of the technical resolution of the spam problem by being the first group to make public an effective spam filter which works way down inside the guts of the system at the point the email is received: the mail daemon. We have a replacement module for sendmail which cuts out spam very effectively. There are also solutions for SMAP, and many filters that can be run by users if their ISP cannot put in a global filter. The TISPA filter is configurable to enable/disable spam for individual users.

Received: from spammer.com via goodisp.com for user@elsewhere.com

This is probably the issue most close to the hearts of TISPA members. Because mass junk mailing is banned by many providers, spammers sometimes bypass their providers email system with its built-in checks, and use some other providers mailer to send out thousands and thousands of emails. These other providers are not being paid for this use of their facilities, and would not allow it if they knew it was going on (ADD: legal issues on need for advanced warning vs legislation question) or had the technical ability to stop it. (ADD: technical help in blocking)

"I will spell-check your unsolicited ad for $500!"

Following some successful campaigns against junk telephone calls, where the recipient offered to do business for the caller by virtue of allowing them to use his home and telephone to conduct their business, some netizens have tried this tactic against junk mail.

However, as an ISP on the receiving end of some of these complaints, I have to say they're not always thought out clearly. The premise is that you have said you will do something with unsolicited mail for a fee. In that case, you are explicitly soliciting the mail as part of an implied contract which is accepted when the sender sends you the mail. That's all very good and maybe you have a chance of pursuing it in the courts, but *don't* think you can also complain to the sender's ISP and try to get their account cancelled. It's either solicited by you for a commercial contract, in which case you take them to court yourself to get your fee, or it's unsolicited and you can complain to the ISP to get them kicked off their service. You can't have your cake and eat it however.

neat! This'll save me *hours* of spamming!

A particularly insidious form of spamming is to send one mail to a mailing list, and let the owner of the mailing list bear the cost of sending the junk to hundreds or thousands of readers. Because of this, many mailing lists have been forced to become moderated, wasting their moderators time, in order to filter out the spam. Some mailing list programmers have had to write additional code to handle spams (such as only accepting posts from list members), again wasting people's time. LSOFT, the commercial firm that now runs the LISTSERV software, has done an excellent job of automatic spam detection, and runs a network of linked list servers that share spam information with each other. I believe that something like this may one day be needed by ISPs for email, with support built in at the sendmail level. (ADD: See legal issues about blacklisting)

Net.WarZ

• Forcible addition to mailing lists
• Forged requests for junkmail
• Forged postings and lists of mailto:'s on Usenet to trigger spambots
  [Burnore/Guilmette]
• Putting an email address on a web page to invite harassment or junkmail

That'll show him!

Harassment: forcible addition to unwanted mailing lists.

One form of usenet harassment/denial-of-service attack is to subscribe someone to multiple (usually busy) mailing lists, by virtue of forged postings. Although this illegality is covered by current laws (probably), it's hard to trace and easy to do. I can't see any way of making it less hard to trace, short of very draconian laws indeed, but there is a way of making it harder to do: many mailing lists have a two-part submission scheme; you sign up normally, then receive a mail in reply which contains a magic cookie; you then return that magic cookie to the list and only then do they subscribe you.

Mailing lists without this simple checking procedure are easily abused, and I would personally favor legislation that insisted that this was the norm. I don't know how my TISPA colleagues would feel about this however. (ADD: discussion)

Spambots

Spambots are programs which regularly scan usenet or other areas (ADD: link to AOL chatroom spambots, IRC spambots, etc), extracting email addresses from the headers (and sometimes the bodies) which are then used as recipients of spam. Or oftentimes they're just sold on in MLM marketing scams to other wannabe spammers and metaspammers.

This practise of mailing people who post to usenet has made some areas of usenet all but unusable. As an experiment, I recently created a new account and made ONE single post to usenet with it; the account has never sent *any* email offsite; our account names are not published elsewhere, so any mail that account ever received must come as a result of its usenet posting. In the two weeks to date since it posted, it has received SIXTY-EIGHT spams. The most common of them being people trying to sell me junkmail lists or junkmail services. (The address is changed in the file referenced above just so posting it here doesn't attract any more spams. You can see the real address from the DejaNews link). This junk has been excellent test fodder for our new junkmail filtering software. (ADD: whole section on filter code)

Blocking

So, how can we block email spam? Well, there are three main ways:

• At the router
• At the mail daemon
• In the user delivery agent

Router Blocking

This is a tactic currently being exercised by a group of ISPs who have configured their routers to block mail connections to their networks from people on a blacklist of banned IP addresses. This is done by sharing a BGP4 feed of routes, where the bad guys are routed to the null route. Blocking in this fashion has the advantage that the ISP's machines never even see the spam to begin with, and therefore aren't affected by gross volumes of spam arriving which would have to be disposed of using one of the methods below. It has the disadvantage that you have to be running BGP4 routing, which many small single-homed ISPs are not doing. (Current advice is that single-connection ISPs *should not* run BGP4, to keep the routing table size down). There's also a question (I don't know if this is significant or not - haven't asked anyone doing it) of whether the filters slow down ordinary packets on the net. I believe having a large number of specific filters is bad for performance, but using the null route trick may be quite efficient.

Router blocking means that the sender fails to connect, and causes mail queues to build up at the sender's end. This is probably a good thing in the case of spammers but bad in general. It also is indiscriminate, and blocks both third-party spam and mail directly to your users. Depending on how you interpret the legal situation on blocking mail to your users (do you have their consent?) this may be a bit too heavy-handed.

Daemon Blocking

You can configure your SMTP daemon (let's say sendmail here, though some people use others) to reject mail on various grounds. This can be a good way to block because the sender can get an explicit message back saying why the mail was blocked. Sendmail blocking can be set up to either block third-party spams only, or to block mail to users, or both; it can selectively block access from specific sites on a network rather than always the whole network, and it can block mail to specific users. It can also be made to catch outgoing spams from local users posted through your service. However, none of this is easy and most of it requires a deep understanding of sendmail, and writing code to hook into sendmail, so would cost a lot of manpower on behalf of the ISP. This waste of our time is another reason why spam is bad.

The latest version of sendmail has a lot more support for these things built-in, including finally tcp_wrapper support. I would like to think that Tispa ISPs would co-operate in adding more anti-spam features to sendmail.

Something I would dearly love to see, but doubt anyone has the manpower for such an ambitious project, would be a major revision of sendmail where it has spamfilters built-in in the manner of LSOFT's LISTSERV network, which exchanges spam information between sites. There are however some major privacy concerns that would need to be met before a project like that could be emulated for personal email as opposed to public mailing lists.

In the meantime, I have developed and am releasing for TISPA members some modifications to sendmail which do third-party blocking, and experimentally on a per-user baseis, spam filtering.

Andrew Daniel has written an easy to use perl utility which can check if your mail host is vulnerable to third-party relaying. (If it doesn't work first time, change the #!/usr/bin/perl to use perl5

Delivery Blocking

Finally, a less intrusive form of spam-blocking is to block at the point of final user-delivery. This can either be done on the user's own system, if it is powerful enough, or by the ISP as he saves the messages into the user's shell or Pop3 mailbox (assuming that's how the ISP is configured; not all are.) Although personally I would prefer to spend the effort on sendmail blocking, I am currently running an experiment with delivery-agent blocking because it is much easier and less disruptive to a running service to experiment in a way that only affects one user. The filtering software I am working on tags a piece of mail as spam by inserting an extra header into the mail before filing it. The user can then filter for the presence of that header and make up his own mind how to dispose of the mail. This method has the advantage of giving the ISP some degree of immunity from lawsuits by spammers who say we're interfering with their trade, but has the disadvantage that the user still has to download the mail in order to handle it. Personally I sidetrack all tagged mail to a 'probably-spam' mailbox, then check it once a day for anything that may be legitimate mail that slipped through.

There's a trade-off here to be made: do you write aggressive filters that catch all spam, but also some non-spam, or do you write conservative filters that guarantee everything they catch is spam, but don't catch all of it? Personally I prefer the aggressive approach coupled with a buffer mailbox to check things before I delete them, but others may want to trash it unread and would therefore insist on the conservative approach. This is all just detail and can be parameterized in later versions of the code.

Tracking spam

A truly enthusiastic spammer-hunter has many tools at his disposal, but they all start with a careful reading of the mail. You can get clues about the spammer both from the headers and form the body of the text. It's also extremely useful to have a good memory and a good collection of previously-received spam.

Many of the major spamming outfits work by getting disposable dialup accounts from big providers like AT&T and UUNET, and they use those to inject the mail at yet another providers site, and the injected mail has either a fake return address or a disposable return address somewhere like juno or hotmail, and for good measure they throw in some faked Received: lines as well. The ones whoe are spamming from their own T1-connected sites have other tricks like spoofed reverse DNS, not to mention an ISP that is actually the same company as the spammer in disguise, so that complaints to the ISP are apparently handled well but in reality the spammer continues.

So, tracking a spammer from the headers is difficult but not always impossible; however, what is much more fun is tracking the spammer from the content of the mail. This is easy because spammers are by nature greedy people; although they go to great lengths to keep their real email addresses out of their spams, and usually supply the requested article by postal mail in response to orders mailed to a mailbox company, they very seldom go to the bother of ordering a new telephone number for the purposes of sending a one-off round of spam. So, when you get a completely anonymous junk mail that contains a telephone number, search the net for that number and see if they are using it in their advertising on some other web page somewhere. Chances are high they are. Reverse phone number lookups and phone CDs are useful here too.

Similarly, though to a lesser extent, you can track the rented mailbox addresses: even if you can't find that particular mailbox number, you'll find other people using the same mailbox service; if one of those people is in a similar line of business to that advertised in the spam, you may have found your man. You can also tell from the area code in the phone number or the dropbox address what region of the country the spammer is in; do a search for similar businesses in that region, then when you find one, check the wording of their web page info for similarities to the copy in their ads. Remember, Alta Vista is your most powerful tool; use it. Anyone who is willing to resort to spam to advertise their services is very likely to have already tried advertising the same thing on the web.

After a time, you learn to spot very quickly when you've found the spammer and when it's just a coincidence of name or address. Following a spam up in email to the person behind it, without any explanation of how you know it was them who sent it, can be very unnerving for a spammer who thinks he was well hidden behind "THE LATEST IN CLOAKING TECHNOLOGY!!!" of whatever junkmail program he was suckered into using :-)

For the less clued among us, there is a program (I haven't tried it) called Spam Hater which reportedly does some of the work in tracking down a forged spam. This was written by one of my British compatriots - we Brits have a strong incentive to cut down on incoming spam: 1) we pay for local calls by the minute at a rate that Americans would associate with Long Distance calls; 2) 99% of the spams received in Britain are advertising goods for sale in the US that we have no interest in. (Actually that applies to most Americans' view of spams too :-) )

Note: when you track down a spammer, whether from a web page or a whois entry, file the info you found for later because whois entries for spammers change rapidly - they very often realise they made a mistake putting real contact details in, and replace them with fake ones; and they take their personal home phone number off their web page when they get an irate phone call at 2am from someone who has just been spammed at 2am.

Finally, here are the so far uncategorised entries from my bookmark file to do with spam and various forms of net abuse. The best of these will be worked into the report above as I find suitable hooks to hang them on.

Newsgroups

news:news.admin.net-abuse.misc
news:news.admin.net-abuse.email
news:news.admin.net-abuse.usenet
news:alt.spam
news:alt.stop.spamming

Web Sites

Like all bookmark files, the most recent stuff is at the end. Most of the spam stuff is in the middle. Some things here aren't strictly spam-related but are close enough that they're a useful reference to have on hand.

This page is maintained by Graham Toal