Damming Spam

Published:
Briefs, Case Studies, Papers, Reports
Author(s) and Contributors:
Author(s): Roger Safian
Source(s) and Collection(s):
Collection(s): Educom Review (Archives)
ParentTopics:
Productivity Applications and Systems

Abstract

Educom Review table of contents

 January/
 February 1999

 

 This article was published in Educom Review, Volume 34 Number 1 1999. The copyright is copyright is shared by the author(s) and EDUCAUSE.

An EDUCAUSE publication

 

Features


Damming Spam

Dam the spam

Six rules for stemming the flow of junk e-mail

by Roger Safian


Another day, another piece of junk mail. Sound familiar?

Most of us are used to this when we open our mailbox at home, but many people are seeing more and more junk mail showing up in their e-mail as well. This junk e-mail is often called spam. The name comes from the famous Monty Python "Spam" skit. So the question to be asked is how are we to deal with this?

First off, let's set some boundaries. We are going to discuss what we, the end user, can do to prevent this junk mail from showing up in our mailboxes. This isn't directed to people running e-mail systems. After all, most of us simply connect to a server, and collect our mail from there. We don't actually run the server; we just make use of it. Nor is this directed toward policy makers. True, the decisions they make might reduce the amount of junk mail we see. However, since most of us are probably not policy makers, we will have to wait and see what they come up with. No, this discussion is going to consider what the average person can do, to reduce the load of junk e-mail we all seem to be receiving.

Let's look at how the junk mail shows up in our mailboxes at home, and see if we can't apply some of the same rules to our e-mail lists. The junk mail we get at home comes from mailing lists; companies pay for the lists, and then pay to send out their mail. The more lists you end up on, the more junk mail you get.

The electronic world works much the same way. There is one notable difference though. The people sending out junk e-mail have very low costs. They don't have to pay postage, printing costs, etc. This is one reason why sending junk e-mail is so popular. The process works much the same way as paper mail. Mailing lists are created, and if your e-mail address ends up on them, you get the "spam, spam, spam."

How are these lists created, and how can we keep our names off them? Most of the junk mail you get does not come from mailing lists that are purchased; rather, the addresses are collected, or "harvested," from the Net. Think of the places your e-mail address might appear: Web pages, e-mail directories, Usenet postings, listservs and probably others as well. How do these addresses get harvested? Simple, everyone knows what an e-mail address looks like. All that is needed is a program that goes out on the Net and harvests addresses from the Web, Usenet, etc. When that is done, the junk e-mail is sent to the harvested addresses.

By now many of you have seen one of the common solutions to this problem. Whenever you make your address publicly available, you disguise it. My address is [email protected]; I might disguise it as [email protected]. All I need to do is make sure that people who want to send me e-mail, remove the NOSPAM from my address before they send me the message. Not the best solution, but it is one that works. Most harvesting programs are not clever enough to remove the extra characters from your address. One point -- if you're going to do this, make sure you put the extra characters at the end of your address. That way they are easy for someone to remove and the mail doesn't get delivered to your server, and then rejected as undeliverable. You should also consider that this is going to create an extra step for people who want to send you mail. That could mean a reduction in mail that you want, if someone doesn't want to go through the extra step to use your real address.

Is your address on a Web page? Once again, you can disguise it, but now you can be more creative. What if you had a graphic of your address? When someone loaded your page, they would see your address, but, if you looked at the source, you would only see the name of the graphic. On a listserv? Send mail to the list administrator, and see if you can have the list restricted, so that only members can send messages, and view list members. If you try some of these tactics you will reduce the amount of spam you get, but, you'll not eliminate it.

What can you do to handle the rest? Basically you have three options, you can ignore it, you can complain about it, or, you can filter it. Ignoring it is the easiest solution, and it works. When you get a piece of spam, just toss it out. Simple and direct. As long as you don't get too much, you don't have too much work to do. Complaining is just the opposite. This will take a fair amount of work. Usually it does no good to complain to the person who sent you the message. The address has probably been forged, and let's face it; the people who send this stuff out already know that many people object to it and they don't care. You need to complain to their system administrator as well as their upstream provider. If this is the tactic you want to use, you'll find a lot of great resources on the Net, and at some point you'll have the satisfaction of getting the account of a junk e-mailer removed.

The tactic that I use is filtering. Most e-mail packages now support this, and it's usually pretty easy to implement. Selecting good filters is the tough part. After all, we want to make sure that we only filter the messages that really are junk. If the filters start eliminating good messages, then they are going to cause problems. What is filtering? Basically, your program searches through a message, and if criteria are met, it takes some action.

For example: You've noticed that most spam doesn't contain your e-mail address (the spammers usually put your address on the BCC line, they Blind Carbon Copy the message to you). You decide that if your address isn't on the To: or CC: line you will toss out the message. Sounds simple right? What happens when your boss BCC's you an important memo? That's right, you'll filter it. Not the right thing, if you want that great review. So, here is an important rule when filtering. Your filters probably won't be perfect. Rather than tossing the mail, move it to another folder and then look at the headers. A quick glance should show you if the mail is from someone you know, or is junk.

Does this work? Well, with little effort, I filter almost 70 percent of the spam I get. I manage this using six rules that, with almost no changes, have worked for more than a year. With some extra effort, I can get this figure up over 80 percent. I also get these results with very few false positives.

Here's how I do this. I use Eudora as my mailer. I have two folders, one for spam, and one for filtered spam. Whenever I get mail, before I see any of it, my filters are run. Any mail that matches my filters is moved into the filtered spam folder. As I go through my mail, I manually move any spam that my filters didn't catch to my spam folder. Every so often I look through the spam folder to see if there are any ways I could improve my filters. I use the collected spam as a test laboratory.

If you are a Eudora user, you should be able to use these rules; just plug them into the tool/filters dialogue. If you are not a Eudora user, they usually can be modified to fit your filtering package. It should be noted, that even though these work fine for me, your situation might be very different. If so modify them to suit your needs.

I have six basic rules:

  1. (Catches Pegasus-style mail not sent with Pegasus) <> contains Authenticated Sender and X-mailer: doesn't contain Pegasus

     

  2. (UU.net dialup lines) Received: contains Cust and Received: contains UU.NET

     

  3. (Headers contain removal information. Note, I search for remov, because it catches both remove and removal) X-Advertisement: contains remov or X-Removal: contains remov

     

  4. (My friends know my name!) To: contains Friend or To: contains you

     

  5. (Messages should always contain a @ in their Message-Id) Message-Id: doesn't contain @

     

  6. (Bull's Eye Gold) <> contains Bull's Eye Gold.

You should also know that the spammers change their tactics as well. I haven't filtered any mail with "remov" for almost a year, and "Bull's Eye Gold" has been quiet for a couple of months now.

In addition, I use my test laboratory of spam in order to improve my filtering. If anyone sends me spam more than once, I create special spammer rules for him or her, the idea being that if I get any additional spam from these folks, it will be filtered. Here's what they look like right now:

 

  • (repeat spammers: special rules to catch them) Message-Id: contains listme.com or Message-Id: contains coquitlam.bc.ca

     

  • From: contains [email protected] or From: contains top-10.com or From: contains hermes1.net or From: contains [email protected] or From: contains artofselling.com

     

  • <> contains Zenith Bulk E-mailer or <> contains The Resume Doctor

     

  • Subject: contains web host or Subject: contains web sale or Subject: contains web site or Subject: contains website.

Hopefully you'll be more successful than I have been, and end up with zero percent spam. I'd be delighted to hear your comments, questions or concerns. Feel free to send me e-mail, just don't let it caught by my filters!

Roger Safian is information security coordinator at Northwestern University. [email protected]

 

  

 

Download Resources