Resources

Articles

Solving the Spam Problem

Recommended Software

News

Solving the Spam Problem

Introduction

Any one with an e-mail address knows the annoyance of hundreds of spam messages filling his or her inbox. Dictionary.com defines spam as "Unsolicited e-mail, often of a commercial nature, sent indiscriminately to multiple mailing lists, individuals, or newsgroups; junk e-mail." Simply said spam is any unwanted or unsolicited e-mail. An article titled "Sick Of Spam" in Network Computing magazine shows that almost forty three billion spam messages are sent everyday (Anderson 48). Furthermore, the article lists that the cost per employee due to lost productivity caused by spam is $1400 per year. In a recent Ziff-Davis poll of seminar attendees the major concern above hostile e-mail threats was “Waste of end-user time” (Coffee 78). Spam exposes users to more than offers for cheap Viagra and free software; it opens a door to viruses, identity theft, and wasted productivity. Through user education, judicious use of technology, and legal efforts, the spam problem can be solved.

User Education

The first step to solving the spam problem requires user education. Users need to be educated on what the dangers of spam look like and how to avoid them. Viruses, phishing attempts, and web bugs cover the primary threats packaged as spam.

Viruses

Viruses come in several forms: trojan horses, worms, and malicious programs. Trojan horses are programs that perform a useful action but include an additional undesired backdoor functionality. For example, the cool bowling game a friend attaches to an e-mail could contain a program used to send spam, distribute illegal software or pornography on the computer it is executed on. The best defense against Trojan horses is not to open attachments without scanning them first, even if the e-mail is apparently from someone known, because it may look like it is from a friend but the sender information could be faked. Worms are programs, attached to an e-mail message, that when opened automatically infect other computers. Worms compile a list of e-mail addresses from address books and previously visited websites found on the computer. The worm sends itself and sometimes confidential information to all of these e-mail addresses using its own built-in e-mail server. The “SirCam” virus was a worm that sent random Word documents. Just imagine visiting a competitor’s website and then being infected with this worm. The competitor could end-up with confidential business plans because their e-mail address was on the website visited and the worm found it when it started sending out random Word documents containing who knows what. I received confidential business plans, meeting notes, chapters of someone’s book, and all kinds of other documents in 2001 when this worm broke out. The SirCam worm exploited a vulnerability, in Microsoft’s e-mail clients Outlook and Outlook Express. Avoiding programs like Outlook and Outlook Express for e-mail can protect against the majority of worms. There are many other e-mail programs available for both corporate and home users. Examples of alternative e-mail programs are Lotus Notes, GroupWise, Eudora, Netscape Mail, and Thunderbird just to name a few of the options. If avoiding Outlook is not an option then it is imperative to apply patches regularly and install an anti-virus program that scans e-mail before these Microsoft e-mail clients can open it. The reason for this is because many of the vulnerabilities that are being discovered with Microsoft’s products are being used almost the same day they are discovered to propagate viruses. Malicious Programs are designed to damage a computer or attack another computer. One such program is the “Stoned” virus it randomly will overwrite or corrupt data on the computer’s hard drive. Distributed-Denial-of-Service (DDoS) attacks are caused by programs that have been unknowingly installed, then activated and controlled by the attacker. The best defense is anti-virus software.

Phising

The next major threat to users of e-mail is phishing, pronounced “fishing,” which is a method of tricking people into willingly revealing private information. The way it works: first the phishers set up an imposter web site that looks identical to the original corporate website of a well known and reputable company. Second, they craft an e-mail that appears identical to others the same corporation would send and request users to login to their account by clicking a link in the e-mail. When the user clicks the link, it brings him or her to the fake website where he or she gives the phishers his or her login information. Bank of America, according to Bank Technology News, is just one of several major corporations having to deal with the phishing threat. I recently received an e-mail that appeared to be from Wells-Fargo requesting I log into my account. The site it sent me to looked authentic with the exception that the address was all numbers not www.wellsfargo.com. I reported the incident I experienced to Wells Fargo. The information gathered through this process is often used for identity theft and fraud. The people stealing the information sell it to third parties or post it to websites to show what they were able to do. Reporting “Phishy” e-mails is one of two ways to combat this threat the other way is not to click on links provided in e-mail.

Web Bugs

The last threat, web bugs are a surveillance device. Spammers put unique images in the e-mails they send. When the e-mail is opened an entry is made on the spammer’s server showing that the e-mail address is valid and that someone opened the e-mail. The spammer now has a valuable list of active e-mail addresses of people who actually open spam and look at it. The list can then be sold to spammers all over the world. The best way to protect against web bugs is to set the e-mail program so it will not load images in e-mail or disconnect from the internet before viewing e-mails. User education is important in preventing spam. Making user education a priority helps users make a shift from the thinking “Spam threats are someone else’s problem to deal with” to “It is my responsibility to know how to handle spam threats.” Having such education in place creates a culture of security. If users know what looks suspicious and they have a process to report what they see, then they are less likely to become victims of these threats. Advances in technology are providing ways to deal with spam before a user ever has to encounter these threats.

Judicious Use of Technology

Technology has created several options to reduce or eliminate spam in almost all of its forms. I have been working with computers since 1984 and one principal I have learned is if a task is too complex or technical, people are not likely to use it. This principal applies especially when dealing with spam. Challenge-Response, whitelists, and filtering software solutions keep most spam out of inboxes but are not always easy to use.

Challenge-Response Method

The Challenge-Response method blocks spam by blocking all e-mail. The way it works is when an e-mail arrives; the sender is sent a “Challenge” e-mail. In the e-mail the sender receives is a link to verify they want the message delivered. If they click the link “Response,” then the recipient receives an e-mail stating the senders e-mail address and the subject of the e-mail they sent along with a link to click to allow the message to be delivered. With billions of spam e-mails being sent every day this is not practical. Ken Anderberg, editor for CommunicationsNews, describes challenge-and-respond systems as “Not very user friendly.” Some vendors, like Spamarrest, have combined whitelist technology with the challenge-response model to simplify the process.

Whitelist Method

Whitelists block all e-mails that are not on the list of allowed senders. The way it works users create a list of people they want to receive mail from. If someone sends them an e-mail that is not on the list, the e-mail is deleted and the recipient never knows someone tried to send them a message. This requires end-users to create a list of allowed e-mail addresses that can become extremely long and takes more time to manage. One of the top spam effects concerning corporate executives is wasting end-user time, whitelisting will not help to minimize that concern. Consider this scenario; a corporate salesperson goes to a major industry convention. During the course of this three or four day event the salesperson hands out over 500 business cards, all of which have his or her e-mail address on them. If this salesperson is using a challenge-response and whitelist spam solution, and half of those people send an e-mail, the salesperson will be extremely busy updating lists and clicking links. Think also of the possibility of lost business because people did not care to respond to the challenge in order to make sure their e-mail was delivered. These solutions are effective but fail to pass the complexity test and involve too much end-user activity.

Filtering Software Method

Filtering software intelligently blocks spam without the end-users doing a thing. The way it works is through a mathematical formula. Using this formula the filter learns what the likelihood of certain words appearing together in the same message is and uses that ratio to identify if the message is spam or not. The filtering software can also be combined with anti-virus software to block viruses and Trojan horse attacks. One such filtering software, SpamAssassin, can be downloaded for free at www.spamassassin.org. This program uses statistics to determine what spam (bad mail) and ham (good mail) look like, which makes SpamAssassin one of the best spam filters available. With a properly trained filter, SpamAssassin is 99.5% accurate as documented in SpamAssassin guidebook (Schwartz 32). Once trained SpamAssassin will continue to learn what the latest spam tricks are and keep spam out of inboxes without end-user intervention. In a recent newspaper article Sixto Ortiz Jr., a writer for Processor a datacenter journal, describes how some spam filtering companies are using “dummy e-mail addresses to attract spam attacks and “harvest” possible spam messages.”(Ortiz 11). Since the best way to implement spam filters is on the e-mail server, control is taken away from the end-user, and this opens the door to the legal issues surrounding spam.

Legal Efforts

Legal issues concerning freedom of speech, censorship, and privacy arise when Internet Service Providers (ISPs) delete, block and filter user’s e-mail without their consent. Senders of legitimate e-mail have their freedom of speech violated when they are censored by an ISP’s e-mail filter. AARP, for example, has a “How-To” article explaining how spam filters work and what their members must do in order to continue receiving their monthly newsletter (Berger). If religious and political e-mails are blocked, this constitutes a violation of the First Amendment (Sorkin 334). The title of Steve Outing’s article “I’m Sick and Tired Of Spam(Filters)” succinctly describes how recipients feel when their e-mail never gets delivered. Recipients are victims of privacy violations when ISPs filter mail without consent. It’s like the US Postal Service opening an individual’s mail, reading it and then deciding if they want to deliver it. I would be pretty mad if I stopped getting my pizza coupons. An ISP examining an individual’s e-mail without consent is a violation of privacy. People are concerned with privacy. For example, privacy advocates were upset when the government began using an e-mail surveillance system called “Carnivore” to monitor e-mail at the suspects ISP (“FBI Sued”). The U.S. Postal Service, regulated by federal law, and the fact that senders must pay to send regular mail may arguably keep junk mail to a reasonable level. In the world of the internet however, those same controls do not apply. The internet is worldwide and free so federal laws can not be enforced in the same way. Legislation like the CAN-Spam act of 2003 gives individuals some leverage to stop spammers but the work required to enforce this legislation is not practical. According to the CAN-spam act of 2003, companies sending commercial e-mail are required to include opt-out options as well as a physical address in their e-mail communications (CAN-Spam Sect. 5). This serves to punish law abiding companies because spam filters identify opt-out language as a high possibility of being spam. Spammers are flexible and constantly changing how they get their message out so legislation alone will not be able to solve the spam problem. We must look at the problem from several viewpoints to come to a solution. Two commonly held views on spam, as described by Chris Hardie, are “Spam Prevention is the User’s Responsibility” and “Spam Prevention is the Responsibility of the System Administrator” or the ISP in this case (Hardie).The “Spam Prevention is the User’s Responsibility” view encourages users to determine what messages are spam removing the responsibility from the system administrator. By supporting user responsibility, the ISPs avoid the liability of deleting important e-mail and violating the user’s rights. The “Spam Prevention is the Responsibility of the System Administrator” view is held by individuals that believe that it is more cost and time efficient to filter all spam at the server. When users support ISPs taking responsibility for spam, they are losing control over their e-mail and their rights. Taking the best of both of these views, a reasonable solution can be created for the users and the ISPs. The process could work using the following steps: First the ISPs identify messages that could possibly be spam and tag them as such. The ISPs could also place these messages in a folder that can be accessed by the user so that they are separated from their normal mail. Second the user can then either use the tag added by the ISP to filter their mail, or look in their spam folder provided by the ISP when messages are missing. This process would respect both the sender’s and the recipient’s rights and would be simple to use.

Conclusion

Solving the spam problem is not a simple task. There are several competing interests involved when it comes to how e-mail should or should not be handled. End-users who understand the threats help eliminate spam by not becoming a victim and being used to spam others. Technology shows the greatest promise for resolving the spam problem but it must have some checks and balances. Legislation on spam helps provide boundaries needed for electronic communications so that violators can be prosecuted. Ultimately it will take a combination of all of these areas in order to stop spam from annoying e-mail users.