Cooking spam

At least you have some protection against viruses. But unsolicited email - spam - keeps on coming. And it's set to exponentially increase, as Asian junk-marketeers get into the game. How can you fight back?

At least you have some protection against viruses. But unsolicited email — spam — keeps on coming. And it’s set to exponentially increase, as Asian junk-marketeers get into the game. How can you fight back?

Viruses are almost certainly the biggest curse brought to computer systems through email, and it’s a relief to see ISPs such as Xtra and Ihug doing something to assist the customers who have not taken sufficient precautions themselves.

Against the other leading curse, spam, effective remedies seem much further away. For most users, spam is simply an annoyance, and dealing with it every morning can be a distraction and a waste of an employee’s time. Large volumes of spam, moreover, have the potential to clog email channels and prevent legitimate messages getting through.

US consultant the Radicati Group estimates that spam comprises nearly one in three corporate messages exchanged in the US this year. The junk mail is expected to climb to 39% by 2006.

Xtra’s Matt Bostwick claims New Zealand’s largest ISP does its best to stem the tide at its end.

“When we spot a spam attempt in progress we will put the domain responsible — and if possible the machine’s IP — in a block list, which means we will no longer accept mail from them. We’ll also try to contact the appropriate people at their hosting site to let them know that what their customers are doing isn’t on,” he says.

Some Xtra users, writing in online newsgroups, don’t think Xtra does enough. They complain of not getting replies to its spam-reporting address, abuse@xtra.co.nz, and some claim the address has bounced their mails.

Much of the intercepted spam destined for Xtra customers comes from the US, Bostwick says. “But in the last six months or so there has been an increase in spam from Asian countries including China, Taiwan and Korea.”

A balancing act

Telecom-owned esolutions includes a certain amount of spam protection in its Safecom secure communications service. The primary purpose of the email monitoring component of Safecom is to eliminate viruses, but a proportion of spam is eliminated as well, says esolutions spokesman John Schaumkel, declining to be tied down to a percentage success estimate. This is done by scanning all addresses in the message’s full header against a database of known spam origination points, and scanning heading and content for typical spam words and phrases. “Filtering can also be applied on a weighting principle which looks for the frequency of key words in an email — like the word ‘free’. If this occurs multiple times, the filter considers the email to be of a spamming nature,” Schaumkel says.

The spam site list is obtained from content scanning specialists MailMarshal, and is also, naturally, used within esolutions.

SafeCom does not immediately delete spam because of a risk of false identification; instead it stores the suspect messages in a “quarantine” mailbox. “Genuine emails are bound to be rejected on occasion,” Schaumkel says; no filtering technique is perfect.

The danger of such false positives could be a legal risk for an ISP or telco that attempts to filter spam, says Michael Newbury, IP architect at TelstraClear. If the customer makes a “reasonable assumption” that the spam filter is doing its job, then the service provider could be legally liable for a crucial email erroneously discarded.

(The same is true for any non-regular email: as a letter to Computerworld recently noted, while mail virus scanning “is the commonly accepted wisdom in the PC community, outside that community this is called censorship. Whether some data constitutes a computer virus threat to your system depends mainly on your hardware architecture and OS version ... the most popular Wintel systems have hopelessly inadequate protection mechanisms.”)

One not very satisfactory email filtering solution is to mark the suspect mail as such and then allow the user company to handle marked mail, automatically or manually, in accordance with its own policies.

Some standard spam headers are a giveaway, Schaumkel says, but spammers “get clever” and slightly reword a heading when it appears the message is not getting through.

Like Xtra’s Bostwick, Newbury points out that an increasing amount of spam is coming through in non-Roman characters, and this makes it more difficult to distinguish a spam heading from a heading on a desired email.

Obvious bulk addressing, with several alphabetically closely spaced names in the cc: slot (s.beatty, s.bell, s.bellamy, s.bellingham) can be a sign of spam, says Newbury, but equally it might just be a message to a legitimate email list. Block it and, with the naturally variable volume of such a list, subscribers may easily not be aware for a few weeks that legitimate messages are not getting through. Even someone who receives a regular monthly bulletin might not miss one issue immediately. So a filtering program has to be applied very cautiously.

Filters can be put on the user’s machine and tailored to that user’s perception of what spam is, Newbury notes. “If we [ISPs] create a filter, we’d have to meet everyone’s need, and a lot of effort would have to be put in.”

Unfortunately, the internet world not having foreseen spam, “we’re stuck with a very open protocol in SMTP”, which lacks adequate facilities for blocking messages on certain conditions, Newbury says. A conjectural “son of SMTP” could have authentication procedures and permit the user to maintain a blacklist of addresses from which mail will not be accepted, or even a “whitelist”, containing only those addresses from which a user will accept mail.

No perfect answer

Commercial products, such as SpamCop and Spam Assassin, retain a list of known spam addresses and are used in conjunction with the existing email server. But, like children-guarding programs, they usually rely on lists of addresses which must be updated. Naturally, no guarantee is offered: “This blocking list is somewhat experimental and should not be used in a production environment where legitimate email must be delivered”, says a note to the SpamCop product.

Some of the large international mail processors take their own measures, says network specialist and IDG columnist Juha Saarinen. “Hotmail rate-limits SMTP connections, and lots of ISPs use their own or someone else’s DNS black list — partly out of self-defence, because spammers have no concern about niceties such as not bombarding email servers with a million messages in a few seconds, and forged return addresses for bounces.

Some of the people who disseminate or approve spam ISP blacklists, like formerly New Zealand-based trenchant spam opponent Alan Brown “reckon Xtra doesn’t care”, says Saarinen, “but I take what they say with a large pinch of salt. If bandwidth is expensive, as it is in New Zealand, spam is a major headache for ISPs”. The attitude appears to be based on more than just added workload. “My impression of New Zealand ISPs,” he says, “is that the vast majority are totally anti-spam.”Filters can be used in the email client, but the best that can be said of these is that they partially conceal the problem and lower the annoyance level.

Alan Brown has no real time for such client-end filters. “All the end-user filters are whitewashing tools. You’ve already paid to download the messages, the ISP has already paid the bandwidth and disk space cost of receiving and storing them. All they do is hide the extent of the problem from the end user. Server-level filters which work by checking message bodies have the same problem.”

US-based providers such as Brightmail, Big Fish, MessageLabs and Postini offer services to filter spam. Brightmail pays full-time staff to inspect spam and write updated filters for the more than three million spams that were collected and processed through its Probe Network during February this year. According to Brightmail, the Probe Network is a collection of email accounts with a statistical reach of 100 million mailboxes.

For the domains Saarinen runs he uses Exim as a mail transfer agent. “It can be configured to drop obvious spam and it’s easy to block certain senders and/or their IP blocks.”

Like Alan Brown, Saarinen says open proxy servers are a major problem. “If you use something like Elcomsoft’s mailblaster — Dmitry Sklyarov’s employer — which is [equipped to exploit vulnerabilities in the SOCKS protocol], it’s easy to pump [a very large number] of messages to the internet anonymously.

“Apart from open proxies and relays, one big problem is that cash-strapped ISPs in the US, China, Brazil and Russia are now offering ‘bullet-proof’ hosting to spammers. They move the spammers around in different IP blocks once the complaints get too frequent.”

Taking that further, spammers are buying IP blocks and set up abuse@ addresses, pretending to be legitimate ISPs, he says.

“Some people swear by Spam Assassin, but I think that only works if you have free bandwidth, because you would have to receive the mail first and then filter on the headers/content. I’m thinking about setting up Spam Assassin on a US server which sits on the internet backbone and have it tag email aimed at my domains. Then I’d filter on the tags, and drop messages early on, without downloading them entirely,” Saarinen says.

Sidebars

Tracking the source

Ministry takes pragmatic approach

Join the newsletter!

Error: Please check your email address.

Tags spam

More about BrightmailHotmailIDGMessageLabsPostiniRadicati GroupSpamCopTelstraClearXtra

Show Comments
[]