It seems as though every year or so, the subject of spam comes up for my article here in the newsletter, and with good reason. The problem is still there. In fact, in most cases the problem with spam is worse now than it was before, thanks to high-speed internet access for home users and a lack of protection on their systems. Many companies now have products to help you with weeding out the spam from your inbox and ISPs are offering spam controls, and yet the problem continues to grow. The government is involved now and many spammers have been caught and prosecuted, but just as predicted by many in network security, that legislative action and the subsequent legal cases are now causing problems that the legislators did not foresee. Spammers are now moving their operations offshore to locations that are spam-friendly, and have no laws in place to block the escalating proliferation of spam. What can be done? Perhaps it is time to take another look at spam and with that fresh eye, help stem the tide. Let me elaborate.

How much spam is there?
Too much. It has been estimated that the average email account, private and business, would receive fifty or more pieces of spam email every day, were it not for the efforts of ISPs and corporate IT Departments. The problem has gotten so bad and quantifiable that we can now cite specific examples of just how bad it is. In the past year, America Online or AOL reported that their systems were receiving 1.8 million spam email messages a day from just one commercial spam company until they obtained an injunction to stop them. If you multiply those emails by the number of companies that send them, you can see how big a problem this is. Spam costs the receiver more than the sender, too. Again, using figures from AOL based on their subscribers, if it takes the typical AOL user only 10 seconds to identify a message as spam and then to delete that message, that translates to 5,000 user hours per day of connect time per day spent only with spam. Lets add to that Yahoo!, MSN/Hotmail and all of the private companies that have emails. The lost time is staggering. Yet, even if the spammer has a T1 line that costs him $100/day or so, it is still cheaper than any other form of advertising.

Can These People Be Tracked Down?
Tracking down individual spammers can be difficult. Many of them have offshore operations. Even domestic spammers without offshore resources can be difficult to track and stop. Many use the large ISPs and email providers own systems to send spam. How? They simply sign up for a trial dial-up account at an Internet provider for a few days or with an online source like Yahoo!, Hotmail, Mail, GMail, etc., who provide free email accounts. Just a simple search of Google for Free email returned a list included in the picture at right. In a way, the providers actually make it easy for people to sign up for anonymous email accounts that can be used to generate and send spam. But what about the terms of service, which do not allow users to send spam? These people do not care about the terms or service! They set up shop and send tens of thousands of messages. By the time the email provider sees what they are doing, they have moved on to a new account and are starting the process again. Many spammers have done this dozens of times, thus forcing the email provider they are using to spend countless hours searching for them, tracking and cancelling the accounts. But is a dialup account really good enough to send thousands of spam emails? It is estimated that with a phone line, modem and a modest PC, it is possible to easily send approximately 100,000 pieces of spam per day using only a dial-up account.
 

Spam blocking with minimal false positives
The choices for spam blocking are getting weeded out. All methods in some way, shape or form still have something in common: whitelists and blacklists. A whitelist is a list of trusted senders or domains that you, as an individual or company, have decided you want to trust and want their email delivered unfettered. Then there are blacklists. Blacklists are something you can generate locally, based on spam that has been previously received. For an enterprise, an appliance or central server dedicated to the task of cleaning spam is the easiest to maintain. You add your customers to the whitelist and add the offenders sending spam to your blacklist. It is still recognized that the major players like Spamhaus are still the best at providing the commercial lists to subscribers so they can block spam. They do not block email from being sent, but subscribers who choose to use their lists can filter out some of the spam.

Arent there laws?
The CAN-SPAM Act of 2003 (Controlling the Assault of Non-Solicited Pornography and Marketing Act) establishes requirements for those who send commercial email, spells out penalties for spammers and companies whose products are advertised in spam if they violate the law, and gives consumers the right to ask e-mailers to stop spamming them. But does it work? In the time since it was enacted, we have seen several changes. CAN-SPAM forced large spammers outside the U.S. This raised the cost and complexity of doing business for spammers and many simply did not have the means to continue. CAN-SPAM also made it illegal to harvest email lists from the web. For a spammer, building a list through regular means is more expensive than using bots to retrieve the information from the web or phishing schemes. For the most part, though, has CAN-SPAM been effective? Well, it was not the panacea that was promised by the politicians. CAN-SPAM simply will not stop spam any more than speed limits will prevent anyone from ever speeding. The positive effect it has made is that the legislation, coupled with new technologies, will continue to raise the cost of being a spammer, until they find another loophole.

Find Out More
For more information on spam and phishing you can visit the FTC site at http://www.ftc.gov/bcp/edu/multimedia/ecards/phishing/index.html. It shows an e-card with simple instructions on how to avoid being a victim. You can also visit OnGuardOnline.gov. It provides many practical tips from the federal government and the technology industry to help you be on guard against Internet fraud, secure your computer, and protect your personal information. There us also good information about spam at http://www.spamhaus.org/.  For information on CAN-SPAM, you can get all the details for business compliance with CAN-SPAM by visiting http://www.ftc.gov/bcp/conline/pubs/buspubs/canspam.htm.  Just remember that better than 90 percent of email received by domestic email users is now spam.
 

All product names / logos, company names / logos are copyrights of their respective holders. John Boline is an MCSE, CNE, USE and a member of the Network Professional Association. The content herein is often based on late-breaking events. Much of the material is based on information from sources that are believed to be reliable. Hagerman & Company, Inc. disclaims all warranties as to the ultimate accuracy or completeness of the information. Hagerman & Company, Inc. and its employees shall have no liability for errors, omissions or inadequacies in the information contained within this article or for any interpretations thereof. The recommendations, positions and best practice policies outlined herein represent Hagerman & Company, Inc. initial analysis and therefore are subject to change as further information which may have bearing on these positions is made available. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice. Entire contents 2007 Hagerman & Company, Inc. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden.