Spam with everything



Often, it is only when the CEO starts receiving emails for ‘herbal viagra', ‘animals in action' and ‘the best legal money making scheme ever' that a company starts to act.

Such spam – unsolicited mass emailings – not only makes a mockery of corporate Internet usage policies, particularly when HTML pages of pornography automatically open in a user's in-box, but is increasingly overwhelming the email servers of Internet service providers (ISPs) and companies alike.

The figures illustrate the fast-growing nature of the problem. According to MessageLabs, the email monitoring unit of Star Technology Group, 15% of all the email it filters is spam and the problem is getting worse.

Data from MessageLabs' competitor Brightmail suggests that the amount of spam doubled in the last six months of 2001 alone and, if the UK and Europe follow US trends, that volume will double again during 2002.


Spam, the law and the EU

If an employee were to complain about receiving pornographic spam at work, would their employer be legally liable for the offence this might cause? That is a question that has yet to vex a tribunal or High Court judge, but it may only be a matter of time.

"We have seen a number of legal cases where people have been offended by inappropriate content which they may have inadvertently viewed on colleagues' screens," says Martino Corbelli, marketing manager at content filtering software vendor SurfControl. However, proving that an employer had failed to provide a ‘safe working environment', free from discrimination or harassment, simply as a result of receiving offensive spam would be difficult to establish. Unless, perhaps, the spam is sent round for the widespread amusement of colleagues.

Likewise, the legality of spam itself is a grey area. In the UK, it is partly governed by the Data Protection Act. "If someone collects information and then uses it for a purpose for which they haven't told someone, that's when it might be a breach of the Data Protection Act," says Rupert Battcock, a lawyer at Nabarro Nathanson.

That lack of clarity has encouraged the European Union to incorporate provisions dealing specifically with the status of unsolicited commercial email (UCE) in its long overdue Electronic Communications Data Protection directive. This was the source of much controversy in the closing months of 2001: First, it seemed that the EU was planning to introduce a blanket ban on all unsolicited commercial email sent within the EU, to the consternation of direct marketers. Then, Members of European Parliament (MEPs) voted against this ban and in favour of a pro-spam amendment put forward by Labour MEP Michael Cashman. His proposal would have given ‘spam gangs' carte blanche to do what they liked, much to the dismay of Internet activists.

In the ensuing furore, the EU's Council of Ministers – an executive grouping of national cabinet ministers – nevertheless plumped for an ‘opt-in' model, whereby people have to choose to receive such emailings.

The proposal will return to the European Parliament later in 2002 for the approval of MEPs. "The debate between the European Parliament and the council ministers has really been whether or not to have opt-in or opt-out," says Simon Stokes, partner and head of ecommerce practice at Tarlo Lyons.



All this costs recipients money: MessageLabs estimates that dealing with spam currently costs organisations £470 per employee per year, just in terms of the time it takes users to deal with it.

The problem with spam is that mass emailing is simply too cheap, even when compared to traditional junk mail. At least with junk mail, the sender has to pay for the design, production and sending of the literature. In comparison, the cost of sending spam is minimal, particularly when the spammers use every dubious method possible to run their mass emailing campaigns. Much of the cost that does accrue, is passed on to Internet service providers (ISPs), recipient companies and, ultimately, to end-users.

One of the loopholes that spammers most commonly exploit is ‘open relays'. This feature is a legacy of the pre-commercial Internet of the 1970s and 1980s. Back then, they were used to relay email messages between otherwise closed email technologies, such as systems based on the Unix-to-Unix copy protocol (UUCP).

Open relay is still an integral element of the simple mail transfer protocol (SMTP) standard and until the mid-1990s, email server packages such as the open source Sendmail application would default to open relay on set-up.

The primary tools in the spammers' armoury are scanners that can search the Internet for email servers with open relay switched on. When they find them, they can use these to launch their spam attacks without fear of being traced.

Another commonly used method is to scan the Internet for widely released ‘Trojan horse' programs, such as BackOrifice, NetBus or SubSeven. These might reside on the PCs of unsophisticated broadband Internet users. Once found, spammers can use these either to take over the PC or to hijack an Internet account for their own ends., the open source development community behind Sendmail, has tried to address the problem. It has re-configured the set-up process so that it does not default to open relay, as well as incorporating a number of anti-spam facilities from version eight, released in 1998.

But there are still many systems administrators running email servers using old versions of Sendmail, as well as servers in far-flung parts of the world that have been poorly set up. The problem here is four-fold. First, although Sendmail is highly rated for its configurability, users need to have a good understanding of Unix in order to be able to edit the relevant files. "It's very easy to set up the server incorrectly simply because the configuration files are quite difficult to read," says Matt Sargeant, anti-spam technologist at MessageLabs.

Second, open source software such as Sendmail is popular across Asia because it is effectively free. Yet because of its relative complexity, Sendmail servers are often set up by inadequately skilled systems administrators, and used as launchpads for spam.


Top five spam by subject

  1. Pornographic
  2. Get rich quick
  3. Become a spammer
  4. Herbal remedies/Viagra
  5. Gambling

Other top spams include : university diplomas, financing, cable and satellite television decoders and various scams to persuade people to disclose personal details which can then be sold on. These include : free web design, for which you have to apply, and The International Executive Guild’s Who’s Who and its many variants, which requires personal information, ostensibly for inclusion into a "prestigious" directory.

Source: Spam Recycling Center



Third, much of the documentation available over the Internet is only in European languages. Help for Chinese or Taiwanese systems administrators who do not understand English is therefore limited.

Finally, because Asia is still little touched by spam, many organisations there simply do not understand the problem – until, that is, their email servers become over-loaded or, worse still, blacklisted.

Blacklisting is the approach that many anti-spam organisations have adopted: Organisations found to be running open relay email servers are first warned and then added to anti-spamming blacklists compiled by organisations such as the Mail Abuse Prevention System's (MAPS) Real-time Blackhole List (RBL).

These are used by companies such as Activis and MessageLabs, as well as many ISPs, as the first layer in their anti-spam defences. For a blacklisted organisation, it means that much of the email they send stands a high chance of being bounced back to the sender.

But some ISPs have a double-edged relationship with spammers. On the one hand, their standard contracts explicitly forbid using their network to send out mass, unsolicited emailings. Yet on the other, some also sign secret deals with spammers charging premium rate fees.

And it is not necessarily small ISPs, desperate for cash, which have been caught double-dealing in this way. A number of big names have been found to have such contracts with spammers, including AT&T, PSInet and Sprintlink.


Cutting down on spam

  1. Never respond to spam
    Most spam includes a link for recipients to remove themselves from the spammer's list. However, this link is commonly used to validate that an address is live and instead of removal, will only prompt the spammer to send more spam to sell the address to every other spammer they know.
  2. Never put an address on a web site
    One of the most common ways that spammers put their lists together is to use "spambots" to harvest email addresses from Internet sites. This software crawls the web in search of the appropriate text strings and anything that conforms is added to its database.
  3. Use a second email address for news groups
    News groups are the prime harvesting ground for spambots. Using a secondary email address – which can be changed frequently – can help deal with the deluge.
  4. Never give an email address without knowing how it will be used
    All legitimate web sites will tell users why they want an email address.
  5. Use a spam filter
    Companies such as GFI Technologies offers a server based spam filter that can block 75% or more of spam. MessageLabs offers a spam filtering service similar to its anti-virus service. And NovaSoft sells a PC-based spam filtering package for home users.
  6. Never buy anything advertised in spam
    Ultimately, spam must work because enough people respond to it to make it worth the spammers' time, money and effort.

Source: Spam Recycling Center



On top of this, blacklists are often unreliable. An alternative is for companies to start filtering their email, using packages such as Clearswift's Mimesweeper or to employ a third-party filtering service, such as Activis or MessageLabs.

In addition to subscribing to the anti-spam blacklists, these companies also deploy a number of other techniques, the most common of which are based on word lists. All the major email filtering software and service vendors – Activis, Brightmail, MessageLabs and SurfControl – use word lists.

"We provide a pre-defined list of words that are commonly found in spam and we scan for strings like ‘No obligation, no charge' and ‘There's no better time to re-finance'," says Richard Willers, product manager at Activis. Spam filtering is an integral part of Activis' anti-virus service.

Both Brightmail and MessageLabs have also subscribed to most of the world's spam mailing lists to keep them up-to-date on the latest spams. Brightmail uses the intelligence it receives to dynamically update its software running on clients' systems, 24 hours a day. Like Activis, its software is based on word lists.

MessageLabs' aim is to correlate the data it derives from this source and load it into Skeptic, its in-house developed anti-virus engine that it plans to deploy in its anti-spam service. By applying the ‘heuristic detection' techniques used in anti-virus software, MessageLabs hopes to be able to boost spam detection rates. In tests, Sargeant claims that this method has achieved accuracy rates in excess of 99%.

By contrast, in tests run by Ziff Davis's eTesting Labs, MAPS RBL apprehended less than 10% of the spam sent its way, while Brightmail, which uses word lists, achieved a rate of 94% with no false positives – that is, legitimate emails wrongly identified as spam.

But there are other, simpler methods that systems administrators can deploy that do not cost a penny and which should help staunch at least some of the flow of spam. First, they can subscribe to the blacklists and configure their email server to reject anything from an address on these blacklists.

Second, an email server can be set up to reject emails in which the data in the message header is inconsistent. For example, if the domain from which the email is ostensibly from and the Internet protocol (IP) address from where it originated do not match up, that is a strong indication that the email is spam.

An alternative approach adopted by some hard line ISPs in the US has been to hunt down the spammers and sue them for damages. Such a method is certainly satisfying when they win, but is too time-consuming and expensive for the average organisation to pursue.


The composition of spam
Source: Spam Recycling Centre

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics