How spammers operate

According to Steve Linford, founder of anti-spam blacklist Spamhaus, 90% of all the spam infesting networks in Europe and North America can be traced to a hardcore of about 180 “spam gangs”.

Most hardcore spammers are middlemen, hired by third parties to advertise all manner of dubious wares, picking up a commission on the referrals.

The spammer buys dial-up and broadband accounts under various aliases so that when one is terminated, another can quickly be activated. They are often helped by lackadaisical enforcement of acceptable usage policies (AUPs) by ISPs.

In some cases, big-name ISPs have even signed secret ‘pink contracts’ with major spammers. In return for a fat fee, the ISP agrees to ignore complaints from end users, maintain the spammer’s email access and keep ‘spamvertised’ web sites up and running.

Both AT&T and PSINet have been caught holding pink contracts with spammers – scores of other, mostly US-based ISPs are suspected to have cut such deals.

The next step for many spammers is to scan the Internet for email servers that have been wrongly set up to open relay any email. This enables anyone to send email anonymously because the message header will only trace back to the compromised server, rather than the spammer’s ISP.

Once the compromised email servers have been found, the spammer will route as many emails through them as possible – a process known as ‘relay raping’. In some cases, spammers operate their own open relays on other ISPs in a bid to cover their tracks.

Good ISPs run automated scans on their own users’ systems to detect the presence of open-relay configured mail servers.

Finally, many spam emails contain tracking codes in the HTML that can help the spammer work out which email addresses are active and therefore send still more spam to them.

But I didn’t opt in …

It is the standard, semi-literate reframe seen in every spam: “You have subscribed to receive this information in an opt-in list.”

Of course, nothing could be further from the truth. Every spammer’s ‘spamware’ suite includes email harvesting software. This is run 24-hours a day, seven-days a week and probes web sites and news groups for fresh email addresses to add to the database.

Within minutes of finding a new email address, it will likely be hit by its first spam run.

Such harvesting software has become so sophisticated that it can even overcome simple email address ‘munging’, such as putting the word ‘nospam’ in the middle of the email address.

To overcome the problem, many organisations present email addresses on their web sites using JavaScript instead of plain text. But it will no doubt be only a matter of time before spammers defeat this more sophisticated approach.

Dealing with spam

There are three main approaches to tackling spam

Blacklists: It is a myth to suggest – as some commentators do – that spam cannot be accurately traced and blocked. Far from it, 90% of the world’s spam is pumped relentlessly from the same range of IP addresses by the same people.

Anti-spam activists have, therefore, responded by building and publishing their own blacklists of IP address ranges of known or suspected sources of spam, which end users can freely adopt.

These are based on a range of criteria. Steve Linford’s Spamhaus, for example, tracks the operations of some 180 or so ‘spam gangs’ and publishes advisory blacklists that ISPs and organisations can freely implement.

The Spam Prevention Early Warning System (SPEWS) is more aggressive. It drops email addresses on web sites and on newsgroups, which are quickly picked up by spammers’ email address harvesting software.

The originating IP address of spam sent to these email accounts is used as the basis of its blacklist. It does not just block one single IP address, but an address range sufficient to block all spam from that source.

If the ISP deals with complaints promptly, the blacklisting is equally promptly removed.

But if complaints are ignored, the blacklisted IP address range is widened, inevitably to include some organisations innocent of spamming. The idea is that pressure from companies caught in the crossfire will force the ISP to decide whose business they most want: those of legitimate companies or spammers.

While harsh, SPEWS’ approach has been highly effective in engineering a turnaround in attitude at most major ISPs, forcing many spammers out of the US and Europe, with Argentina, Brazil and China favoured destinations.

Heuristics: This approach is based on artificial intelligence. The idea is that most spam emails share the same characteristics, such as the assertion that you did “opt-in to receive this message”, the false unsubscribe address and the forged message header data.

A score is assigned to each characteristic and if it exceeds a certain threshold, an incoming email can be deleted or quarantined accordingly.

Such text analysis techniques have been deployed by email scanning company MessageLabs, with its Skeptic software, and is also used in the SpamAssassin filtering tool, which was recently acquired by Network Associates.

Anti-spam service provider: Brightmail offers a hybrid of these two main approaches. First, it has a network of hundreds of email addresses that have been populated on the Internet and picked up by spammers’ automated email harvesting tools.

Then, the moment a spam is picked up at one of these addresses, a signature file is made up of the spam’s characteristics and sent to users of Brightmail’s software and services, who get near real-time updates to add to their spam filtering database.

It’s not against the law – yet

When the European parliament finally voted to ban spam it marked the end of a long and hard-fought battle. At the heart of it was a debate about whether the European Union (EU) should adopt an ‘opt-in’ or ‘opt-out’ policy.

Anti-spam activists favoured a confirmed opt-in process similar to the one operated by Yahoo Groups. When someone gives a company their email address, a confirmation email is sent to that address so that they can confirm that they do indeed want to join that mailing list.

Member of European Parliament Michael Cashman lined up behind the vociferous Direct Marketing Association (DMA) in pushing for opt-out. This would mean that any organisation would be free to send all the email they wanted to whoever they wanted, provided that they allowed the recipient to opt-out from their list.

Activists argued that such a law would be meaningless: a spammer might operate multiple lists from multiple front companies and they would still be free to trade email addresses with their fellow spammers.

And after much heated debated the European parliament eventually agreed.

Now, the same debate has been ignited in the US, following the Federal Trade Commission’s (FTC) Spam Forum.

At the moment, there are a number of bills on the table, waiting to be debated by Congress. The most widely promoted is Senator Conrad Burns’ CAN SPAM Bill. This would impose a fine or imprisonment for sending spam that is false or misleading, or for forging any element of the message header.

In addition, senders of unsolicited commercial email would also be required to provide a working opt-out mechanism.

However, activists argue that such a federal law would undermine tougher state laws in the US and give carte blanche to the spammers.

Of course, much of the legal debate is academic. While many spammers in the EU and the US take advantage of spam-friendly ISPs to spam from within their respective national borders, many are routing their spam and hosting their web sites via ISPs in lightly regulated parts of South America and Asia.

When blacklists bite

Costa Rica used to be a home from home for spammers. The national Internet service monopoly RACSA would happily let them send all the email they wanted, while ignoring complaints, arguing that it did not have the power to ‘censor’ its users if they were not breaking the law.

Until, that is, IP address ranges belonging to RACSA started to appear on anti-spam blacklists. Initially, RACSA responded by moving the spammers to different IP addresses in order to evade the blacklists.

But after learning that three so-called spam gangs were planning to take advantage of RACSA’s lax regulation and establish ‘bullet proof’ spamming operations on the ISP, both SPEWS and Spamhaus placed the company’s entire IP address range in their respective blacklists.

Suddenly, many Costa Ricans found themselves cut off from the rest of the world, unable to email friends, family and business contacts overseas.

The resulting furore reached the highest levels of Costa Rican government, which quickly persuaded RACSA to deal with the problem by terminating the accounts of its spamming customers and to draw up and implement an effective acceptable usage policy (AUP).

Open relays

Although South Korea has a deserved reputation for technical proficiency, when the government decided to Internet-enable every school in the country, it made one fatal mistake that overnight turned the country into one of the world’s biggest ‘spamhausen’.

Predictably, the government selected mail servers architected by a local company, but the mail servers used an old version of Sendmail, the open source email application, that was configured to enable open relaying by default.

What this meant was that anyone on the Internet could use them to anonymously pass on their email. Once word got out, spammers from all over the world were logging on to the email servers belonging to South Korean schools and using them to anonymously send out all manner of spam.

Slowly, too slowly for many, the South Korean government got to grips with the problem and during 2001 and 2002 the email servers were secured. But not before South Korea’s overseas reputation had taken a dent among tech-savvy computer users.