Hagerman & Company, Inc. Technology Bulletin

A couple of years ago I wrote that Spam has become as common in email as junk mail used to be in your snail mailbox (remember junk mail?). The costs of printing have driven many mass marketers to using email. It is simple, fast, lower-cost and can be sent, albeit illegally, completely anonymously. Now, the techniques for purging our inboxes of this scourge have become multi-layered. Software that runs on the desktop is used to filter through email, software that runs on the email servers filters through email and software, ahead of the server, in the form of a server, appliance or a service is now used to filter through the mess. Something has to be done, but as seems to be the case, when legislative action or the courts get involved, problems that no one could foresee come to fruition.

Anti-SPAM solutions
Just as there are different solutions for email, so are there different solutions for SPAM blocking, but all of them have something in common: white lists and blacklists. A white list is a list of trusted senders or domains that you, as an individual or company, have decided you want to trust and want their email delivered unfettered. Then there are blacklists. Blacklists are something you can generate locally, based on previously-received spam. You can add the senders, domains, even blocks of IP addresses to a blacklist and use that list to determine if email from sources at large will be allowed to the end user. All software / hardware / subscription services use this kind of technology at some level. Major players like Spamhaus provide these lists to subscribers so they can block spam. They do not block email from being sent, but subscribers who choose to use their lists can filter out some of the spam.

False positives still a concern
An example of a false positive is a newsletter you subscribe to. It may have content that you want or desire. Unfortunately, many unscrupulous spammers will include “Newsletter” in their subject line or content to get around filters. This then results in your getting an email for a pill or a cream that increases the size of a select body part or cheap meds from outside of the country instead of the technical information, recipes or whatever you wanted to arrive. Just as spam arriving costs money and time, so too do false positives and email that never arrives that you wanted. However, there are solutions solutions that allow you to see blocked emails and then allow them through and add the sender(s) to a white list allow for reduction in false positives.

What about CAN-SPAM?
The CAN-SPAM Act of 2003 (Controlling the Assault of Non-Solicited Pornography and Marketing Act) establishes requirements for those who send commercial email, spells out penalties for spammers and companies whose products are advertised in spam if they violate the law, and gives consumers the right to ask emailers to stop spamming them. CAN-SPAM requires the following:
It bans false or misleading header information. Your email's "From," "To," and routing information – including the originating domain name and email address – must be accurate and identify the person who initiated the email.
It prohibits deceptive subject lines. The subject line cannot mislead the recipient about the contents or subject matter of the message.
It requires that your email give recipients an opt-out method. You must provide a return email address or another Internet-based response mechanism that allows a recipient to ask you not to send future email messages to that email address, and you must honor the requests.
It requires that commercial email be identified as an advertisement and include the sender's valid physical postal address. Your message must contain clear and conspicuous notice that the message is an advertisement or solicitation and that the recipient can opt out of receiving more commercial email from you. It also must include your valid physical postal address.
So, that is straightforward. So why do we get more spam now that we did before? Simple. The spammers have moved offshore. If they are not under the jurisdiction of the laws of the United States, CAN-SPAM can do little to control the tide of spam. It just makes it more difficult for legitimate companies based in the United States to do legitimate business.

What about the courts?
In a recent ruling, an Illinois judge has ruled that UK based blacklist site Spamhaus must pay $11,715,000 to an alleged spammer. The ruling comes after an Illinois based firm sued The Spamhaus Project in the Northern District of Illinois, alleging that it had suffered massive harm to its business as a direct result of Spamhaus' decision to list them on a ROKSO (Register of Known Spam Operations) anti-spam blacklist. No one wants to see legitimate email stopped, but I find it interesting that the same thing that protects spammers, being outside the jurisdiction of the laws of the United States may ultimately be the defense for Spamhaus and their access. According to Spamhaus, ‘default judgments obtained in US county, state or federal courts have no validity in the UK and can not be enforced under the British legal system... As spamming is illegal in the UK, an Illinois court ordering a British organization to stop blocking incoming Illinois spam in Britain goes contrary to UK law which orders all spammers to cease sending spam in the first place.’ And so it goes…

Find out more
For more information on spam, you can visit http://www.ftc.gov/spam/ , http://www.spamhaus.org/ and for information on CAN-SPAM, you can get all the details at http://www.ftc.gov/bcp/conline/pubs/buspubs/canspam.htm. Just remember that better than 90 percent of email received by domestic email users is now SPAM.

All product names / logos, company names / logos are copyrights of their respective holders.  John Boline is an MCSE, CNE, USE and a member of the Network Professional Association. The content herein is often based on late-breaking events. Much of the material is based on information from sources that are believed to be reliable. Hagerman & Company, Inc. disclaims all warranties as to the ultimate accuracy or completeness of the information. Hagerman & Company, Inc. and its employees shall have no liability for errors, omissions or inadequacies in the information contained within this article or for any interpretations thereof. The recommendations, positions and best practice policies outlined herein represent Hagerman & Company, Inc. initial analysis and therefore are subject to change as further information which may have bearing on these positions is made available. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice. Entire contents © 2006 Hagerman & Company, Inc. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden.