The following is a newsletter from a computer magazine that I subscribe to. I hope you will find it informative. Also, I tried to reformat it to plain text. If any of you have a problem with the way it turns out, feel free to tell me about it. Kevin E. Ramsey ramsey@extremezone.com The Spam Scourge Keep Your Inbox From Becoming Congested Dear Kevin E, Television has its infomercials, junk mail gets delivered to your door every day, and even fax machines occasionally receive unsolicited faxes. So, it should come as no surprise to anyone that the marketers who come at us through our televisions and our mailboxes with their can't-miss offers and once-in-a-lifetime opportunities have successfully exploited the new frontier of electronic mail communications. Spam, also known as UCE (unsolicited commercial e-mail), is a part of the information technology revolution that most of us would rather do without. And the numbers reveal the problem is getting worse, even as end users, ISPs (Internet service providers), and Congress fight back. In a recent news item, Cyberatlas (http://cyberatlas.internet.com) quoted an eMarketer report that revealed some amazing statistics about e-mail and the volume of spam clogging up the Internet. The report showed that in 1998, 9.4 billion messages were sent in the United States, and 7.3 billion of those messages were commercial. Of the 7.3 billion commercial messages sent, 7 billion (96%) were estimated by eMarketer to be UCE. The problem continues to get worse as spammers continuously figure out how to get around the various technological and legal barriers that have been erected to stem the tide. Everyone has something to say about spam, especially Internet users. Various surveys clearly show the vast majority of people who use e-mail at home and at work intensely dislike spam. So, what can you, as an e-mail user, do to avoid spam? How do you get rid of spam if your inbox is filling up with unsolicited e-mail? Are there any technological or legal remedies you can apply to alleviate the problem? We'll take a look at the spam problem and show you some techniques to avoid getting spammed. Also, we'll take a look at remedies being applied by the government and show you some effective ways to fight back. Avoid Spam. Spammers are persistent, and it doesn't take them very long at all to zero in on a victim. Raymond Everett-Church, Senior Privacy Strategist and ePrivacy Group Counsel for CAUCE (Coalition Against Unsolicited Commercial E-mail) and a well-known privacy-rights advocate, said most new e-mail accounts have a 33% chance of receiving spam in the first year of use. After one to two years, Everett-Church added, spammers' chances shoot up to nearly 100% of reaching that account's inbox. If your current inbox is choking with spam and you've decided to establish a new e-mail address, you've got a few months to figure out a plan of action to minimize the spam you'll inevitably receive. Cruise in stealth mode. Most people choose an easily remembered username, something like john_smith@yahoo.com or Maggie@hotmail.com, when they create an e-mail account. However, easily remembered e-mail usernames are also easily recognized by the newest software tools used by spammers to get fresh addresses into their mailing lists. One of the newest approaches, said Everett-Church, is dictionary spamming, a brute force technique that randomly generates millions of letter and number combinations for building a list of possible e-mail addresses hosted within a well-known service, such as Yahoo! or Hotmail. Although this sledgehammer approach typically results in thousands, if not millions, of messages bouncing back as unrecognizable addresses, a percentage of the generated list will be actual e-mail accounts. Use a random combination of numbers and letters as your e-mail username, Everett-Church indicated, to increase your chances of avoiding detection by spammers. You can also choose a small, local ISP for e-mail service or else register and host your own domain so you can create an e-mail address within your domain name, such as john1 @johnsmith.com. Be careful where you hang out. Another technology used by spammers to collect e-mail addresses is harvesting. As the name implies, harvesting lets spammers collect thousands of fresh e-mail addresses from sources, such as newsgroups, chat rooms, and even Web sites. Essentially, spammers use software programs that search newsgroups and chat rooms for e-mail addresses, which are typically required information a user must submit to participate in these activities. The solution to this problem, according to Everett-Church, is simple: Avoid using chat rooms and newsgroups. This solution is strong medicine, but your best bet for avoiding detection by a harvesting program is to make yourself scarce. However, if chatting or posting to newsgroups is a big part of your online experience, you may want to set up a separate e-mail account just for registering in chat rooms and newsgroups. Of course, this second address may soon become clogged with spam, but at least your main e-mail address will remain unscathed. The same warning goes for using your e-mail address to complete Web site forms or in Web-based newsgroups or chat rooms. Spammers have recently developed, Everett-Church warned, software tools that let them pluck e-mail addresses out of the Web. So even vanilla Web surfing is not immune from the spammers' reach. Avoid entering e-mail information if at all possible or else set up another e-mail address to use for entering Web-based information. Instant aliases. Avoiding participation in chat rooms or newsgroups can severely curtail your online habits. However, there is a way to continue using the Internet the way you want and keep from getting harvested. A service called Mailshell (http://www.mailshell.com) lets you set up unlimited e-mail aliases. Instead of using your own e-mail address to register at a Web site or participate in a chat room session, you create a new, disposable e-mail address on the fly. To begin the process, you register either a domain (such as johnsmith.com) or a subdomain (such as johnsmith.mailshell.com) with Mailshell. The only difference between registering a domain and registering a subdomain is that registering a domain costs approximately $30 a year and gives you access to extra premium services, including virus scanning and 50MB of storage space, as opposed to a simple subdomain account without the extra services. Once you create your domain or your subdomain, you simply make up the username part of the e-mail address whenever you need to supply an e-mail address. So, if you are posting to a newsgroup, you can use an e-mail alias, such as newsgroup-1@johnsmith .mailshell.com. The advantage is you never have to supply your main e-mail address again. The Mailshell system will store all e-mail you receive from your various aliases and will let you either retrieve mail directly from the Mailshell servers or forward it to your principal e-mail address. Whenever an alias e-mail address you've created gets clogged with spam, you delete it. In a way, the Mailshell service creates a protective proxy that insulates your true e-mail address from the rest of the Internet. Stop The Flow. Becoming a cybernomad and changing e-mail addresses frequently may not be your cup of tea. You may have an extensive contact list and don't want to have to notify everyone every time you change addresses. Also, even though your inbox is bursting at the seams with spam, you may receive content you actually care about and read. Changing e-mail addresses frequently will result in multiple visits to Web sites where you have subscribed for content, such as newsletters, alerts, and reminders. E-mail is becoming so prevalent nowadays that the list of places where you may have submitted your e-mail address is probably unmanageable. In fact, many Web sites require that you enter your e-mail address when you register for products or services. It makes a lot of sense to be able to maintain a steady e-mail address. Besides, why should you be inconvenienced because of someone else's intrusive and unwelcome actions? If you want to make your stand and fight back, here are some tips for doing just that. Filter out the junk. Many ISPs use sophisticated software tools, called filters, to weed out UCE based on characteristics such as content, message subject, author, and header information. A lot of this functionality is also available for the end user. If you want to eliminate spam from your inbox, a software-filtering tool is a good place to start. The first place to look for filtering capabilities is in your own e-mail software. Most common e-mail packages, such as Pegasus Mail, Eudora, and Outlook, use rule-based filtering to help you sort through your mail more effectively. For example, you can set up a rule to copy messages from a certain individual into a mail folder as soon as the message is received by your e-mail program. Rule-based systems also let you filter out unwanted e-mail by sending it straight to the trash. The implementation of this feature varies from e-mail program to e-mail program, but at its core, it all works the same way. You enter the characteristics that differentiate the unwanted mail from your regular mail, such as author, subject, content, or domain information. Then, you tell your e-mail program what to do if a message meets the criteria. There's a disadvantage to this approach, however. As the flood of spam continues, you must continually update your rules to include messages that come from new sources of spam. Microsoft Outlook, for example, has a built-in junk-filtering system that lets you add messages to a Junk Senders or Adult Senders list. The problem here is that it is up to you to continuously add new junk messages to this list every time a spam is received. This method is reactive because you must first receive the spam to be able to block any subsequent messages from the same source. To make matters worse, spammers are getting very good at eluding filters by constantly varying the content and address information in their messages. You can set up your mail system to block a spammer's message from a particular e-mail address, only to find out the same content got around your rule a week later because the spammer changed the From header in the message to a new address. You'll soon discover spammers have no qualms whatsoever about falsifying header information so a message's From field might display an address that doesn't even exist. Kill Spam. If your e-mail program's filtering tools aren't cutting the mustard, you may want to take a look at a third-party spam-blocking utility. These are programs specifically written to ferret out unwanted messages from your mail server before they ever have the opportunity to slide into your inbox. As such, these filtering programs act as the intermediary between your inbox and the mail server. We looked at one of these utilities, Novasoft's SpamKiller (www.spamkiller.com). SpamKiller works by monitoring the e-mail messages that come into your mail server and filtering those messages using an extensive set of default filters. These filters then look at a message's author, subject, message text, country of origin, and header information, and if any of the message's contents match one of the standard filters, the message is automatically placed on a Kill list. You can also vary the effect of these filters so messages can be marked, accepted, or killed only after you use the program's complaint feature. Also, you can point to a message and click the filter button. This feature walks you through the creation of a custom filter based on any part of the message, such as the subject, the message text, or header information. Novasoft continuously updates its filter lists, and SpamKiller can be set up to automatically connect to Novasoft and download new filters. One of SpamKiller's best features is the automation of the complaint process. To complain, select a message from the Killed messages list and click the Complain button. The complaint window features a Domain list box, an Administrator list box, and a Message combo box containing standard complaint messages. You first select the domain name where you want to send the message and then type the administrator function (abuse, postmaster, or Webmaster) that will receive your complaint. The program automatically retrieves the domain information out of the message's headers. Once you select one of these administrator functions (or, you can select All) click the Look Up button. SpamKiller verifies the correct e-mail address for the selected administrator function and adds it to the administrator list. You then click the Add button to add the verified address to the list of recipients for your complaint. Finally, you can select from three different complaint formats in the Message combo box: Administrator, Error, or User. Once you've entered all the settings and verified all the addresses, click OK to send the complaint. SpamKiller worked as advertised and effectively blocked out spam coming into the spam-infested e-mail account we set up as a test. If anything, SpamKiller was a tad on the overenthusiastic side with its filtering. It filtered as spam an order confirmation from a software company simply because it found an XXX character string in the text. The order confirmation's crime was that it contained a credit card number that the software company partially hid with Xes. We used SpamKiller's Rescue button to send the message back into our inbox, and we modified the filtering system so any further messages from that particular company would come through. Recruit Your ISP. ISPs share your frustrations with spam. Recruit your ISP to join your battle to rid your inbox of unwanted messages. Begin with a request for the ISP to install filtering software or other mechanisms to block out UCE from its servers. Everett-Church pointed out that getting adept at perusing a message's raw header information is a good way to learn the identity of the spammer's ISP. Header information is hidden by default in most e-mail programs, but it's usually very easy to view this information. For example, in Microsoft Outlook 2002, open the message you want to inspect and click Options from the View menu. The Message Options windows will launch, and at the very bottom, you'll see a text box labeled Internet Headers. This text box contains the information about the message you'll need to study to prepare a complaint. Specifically, you will want to pay attention to the Received header; this header shows you the provider your ISP received the unsolicited message from. You may find that a message contains multiple Received headers in cases where a spammer uses multiple ISPs to forward mail. These ISPs in the middle of the communications chain may be particularly interested in learning about a spammer's traffic because more than likely they are not aware the spammer is using their service to send or forward unsolicited mail. To learn more about dissecting header information, go to http://www.cauce.org and browse its FAQ section. How About Opting Out? You may wonder if anyone has developed an opt-out database, a master list of people who choose not to receive UCE. Some attempts have been made and all, unfortunately, have met with, at best, very limited success. "The Direct Marketing Association," Everett-Church pointed out, "has tried to set up a 'do not e-mail' list; however, it has largely been a failure." Also, he added, many lists pretending to be opt-out databases are actually run by spammers who use the names collected in those lists to populate their own mailing lists. Be very careful about adding your name to a list purporting to be an opt-out database. At best, it will be ineffective, and at worst, it may actually increase the amount of spam you get. Efforts To Stop Spam. The spam problem has become pervasive enough that both state governments and the federal government have joined the fray. Spam imposes enough of an economic cost that many ISPs and even end users are pressing the Congress for action. Although a few previous attempts at legislation have died before becoming law, both houses of Congress currently have pending legislation to address the spam problem. Two of these bills are S 630 and HR 95; both bills, according to CAUCE, are very different in their approach to the problem. S 630. This Senate bill, also known as the CAN SPAM Act of 2001, was authored by Sens. Conrad Burns (R-Montana) and Ron Wyden (D-Oregon). S 630 seeks to amend Chapter 63, Title 18 of the USC (United States Code) by adding section 1348, which will impose both monetary and jail penalties on spammers who willingly send UCE containing false header information to protected computers. The bill also prohibits the transmission of false or misleading information in UCE, prohibits deceptive subject headings, requires the inclusion of a valid return address in a message, prohibits transmission of UCE to a recipient who has opted out from receiving messages, and requests that senders include language that identifies the message as UCE, a physical address, and an opt-out e-mail address in their transmissions. The bill places enforcement responsibility on the FTC (Federal Trade Commission), ISPs, and state attorneys general. An ISP who suffers a monetary loss attributable to a spammer has the right to collect damages up to $10 per spam up to a maximum of $500,000. Everett-Church has analyzed various Congressional bills for CAUCE, and he is not very enthusiastic about this one. First, he explains in an analysis posted on the CAUCE Web site (http://www.cauce.org), the penalties are low enough that only the most egregious damage will cause an ISP to actually pursue monetary compensation. Also, consumers are kept out of the enforcement loop. More often than not, a violation has to be damaging enough to catch the attention of a state attorney general for enforcement. The state attorney general, acting in the interests of the residents of his state, would have to bring suit against the spammer. The bill's only protection for consumers, Everett-Church argues, is the chance to opt out of a mailing list by responding to a valid e-mail address. HR 95. The Unsolicited Commercial Electronic Mail Act of 2001 is sponsored by Rep. Gene Green, a Democrat from Houston. This legislation requires that UCE contain a "conspicuously displayed," valid e-mail address that recipients can use to opt out of further communications with the spammer. The act also prohibits spammers from sending UCE to recipients who have opted out and chosen to terminate the business relationship between sender and receiver. In addition to an opt out choice in the form of a valid e-mail address, UCE senders are also required to clearly identify their messages as "unsolicited commercial mail." An important part of the bill is the provision in it that gives ISPs the right to establish a policy, communicated via Web posting and via a "technological standard adopted by an Internet standards setting body," that clearly establishes the status of the ISP as an entity that does not wish to receive UCE. This is important because it creates a way for ISPs to be proactive instead of reactive to the spam problem by devising a technological solution that will warn a spammer about the ISP's no-spam policy. CAUCE has endorsed the use of an SMTP (Simple Mail Transfer Protocol) banner for ISPs to disclose anti-UCE policies to potential spammers. SMTP is the protocol used by e-mail servers to communicate with each other so the spam policy information would, according to CAUCE, be transmitted every time a spammer's site connected to the ISP's mail server to transmit UCE. The spammer thus receives fair warning that further attempts to transmit UCE through that ISP are illegal. HR 95 also protects ISPs who unknowingly transmit UCE through their systems and also those who make a good-faith effort to block illegal traffic. Finally, unlike S 630, this bill provides both recipients of UCE and ISPs a "private right of action" to pursue violators of the act and recover any monetary damages suffered up to the amount of the actual loss or at a rate of $500 per violation, not to exceed $50,000. Consumers are not only protected by the various provisions of the act; they also have the right to sue for damages in the court system. Curb The Junk. The flood of spam will continue as long as people and businesses use e-mail to communicate. Legislation will help, but as the rest of the world becomes technically savvy, we will see increasing amounts of spam originating in other countries, outside of the reach of U.S. law. As we've seen, technological solutions, such as filters, are a temporary fix; spammers are a determined lot who will perennially figure out ways to evade technological blocks. After all, e-mail is one of the cheapest modes of communications ever devised. A spammer can send thousands, even millions, of messages in a relatively short period of time, increasing the chances that someone will actually purchase that "once in a lifetime" opportunity or will choose to follow up on that "can't lose" investment proposition. If you believe P.T. Barnum's observation that there's a sucker born every minute, then you have to believe that spammers will continue to blanket the Internet in the hopes of snaring that sucker or two who will make their day. by Sixto Ortiz Jr.
This PTG archive page provided courtesy of Moy Piano Service, LLC