In 1988, NetProfessional Magazine published an anti-spam article I wrote for them. This article was meant to be an introduction to fighting spam and covers the basic issues and techniques. The final version that they edited is in the magazine, but a revised version of my draft is here. This article is also available online at the Lyris web site. ================== Stop Spam Now! by John Buckman CEO and founder, Lyris Technologies, Inc. Introduction In the middle of a hectic workday, you check your email box only to find it cluttered with messages ranging from get-rich schemes to advertisements for questionable products. Junk e-mail or spam is a growing problem for Internet users, whether you are an individual or a large corporation. According to varying studies, the cost of spam ranges from millions to billions of dollars worldwide. John Buckman, developer of the MailShield anti-spam/anti-relay program discusses the impact of spam, and describes 5 strategies for stopping spammers in their tracks. What is spam? Spam is junk email that is sent to you by someone who has no prior or existing relationship to you. Whether one calls it unsolicited commercial email (UCE), unsolicited bulk e-mail (UBE) or junk mail, spam is defined by the fact that the recipients did not solicit the mail or divulge their email addresses for the purposes of receiving such mail. Yet, each day, thousands of spam programs scan web pages, newsgroups, and other online documents to harvest email addresses in bulk. As a result, spammers can send a high quantity of mailings to large numbers of unsuspecting users, whose mailboxes become filled with messages that may lack relevance for users. The impact of spam The problems associated with spam reach far beyond the obvious annoyance of receiving unsolicited mail. As a result of the deceptive practices that spammers use, spam can damage the reputation of companies who run mail servers, drain human energy and time, and exploit hardware resources. One of the most common techniques that spammers use is unauthorized mail relaying. Unauthorized mail relaying occurs when spammers use mail servers, owned by other people, to relay junk email. For example, after one week of setting up our own email server, we began receiving unauthorized mail relay requests. Apparently, spammers used an automated program to scan the Internet and locate our mail server. Before we installed MailShield, we discovered that spammers queued and relayed a dozen email messages per day through our server. By engaging in unauthorized relaying, spammers make it difficult and time-consuming to trace spam back to its true source. Adding to the difficulty of tracking spam, many companies are unaware that their servers have been used to relay spam until they receive an avalanche of complaints from angry customers who received spam from these companies. Although companies can clarify to customers that they are not the "true" source of spam, it can be very difficult to regain corporate respectability after unauthorized relaying, especially if the spam contained pornography or get-rich scams. Spammers also can damage a company ,s reputation by forging return email addresses. In 1998, Juno Online Services filed a $5,000,000 dollar lawsuit against five spam companies ($1,000,000 against each of the five companies) after Juno's reputation was damaged by forged return email addresses. Apparently, spammers actively targeted Juno ,s return address for forgery. Juno President, Charles Adai, noted that their company discovered spam software for sale on the Internet that included a &forge e-mail to Juno 8 feature. Spammers frequently forge return email addresses not only to prevent users from tracking the true source of spam, but also to prevent spam mail from bouncing back to their own servers. Since spam frequently contains a high number of inaccurate and outdated recipient addresses, spam mail often bounces and jams the servers spammers use to relay the mail. As a result, forged email return addresses can significantly drain hardware resources. Fight back! Clearly, spammers spend a great deal of time finding ways to use other people's resources to send junk mail and conceal themselves. Given this, what can you do to fight back? The following 5 strategies can help you stop spammers in their tracks. (1) Stop unauthorized mail relaying One of the most effective strategies to prevent spam is to stop unauthorized mail relaying. The basic way to implement mail relay protection is to configure your mail server to allow only certain TCP/IP addresses and address ranges to relay through your server. With this technique, your mail server will reject any relay attempt from TCP/IP addresses outside of your network. While this simple technique works fairly well, not all mail server packages support this feature. For example, version 8.6 of Sendmail, which comes with Sun Solaris systems, does not support this technique. Furthermore, many Windows NT mail systems, including Lotus Notes, CC:Mail, Microsoft Mail, and even popular firewalls (such as Gauntlet) do not provide or support basic anti-relay protection. Third-party software, such as Lyris MailShield, can add anti-relay security to servers that do not support filtering of TCP/IP addresses or other anti-relay techniques. You can also use some third-party software to completely replace your mail server with software that is designed to block unauthorized mail relaying and spam. If your company has employees who travel or telecommute, you may wish to only allow specific "From:" addresses to prevent unauthorized relaying. With this technique, telecommute or employees in the field can still relay mail through your server, without interfering with your ability to block unauthorized relayers. Filtering the "From:" address is a powerful technique that specialized anti-relay and high-end mail servers support. Sendmail 8.9 examines header text to support this method, as does MailShield. Another way to implement mail relay protection is to use a mail proxy server with anti-relay features, and a regular mail server that is protected by a firewall, internal TCP/IP address, or port-moving technique. With this implementation, the mail proxy server conceals the location of your regular server and makes it less vulnerable to unauthorized relaying. Some mail servers and anti-spam/anti-relay products support this implementation. (2) Ban header text Many spam programs include telltale text in the headers of messages they send. For example, spam programs frequently send header text with the words, "public.com" or "friend@public." Other examples of telltale text and tags include: "savetrees.com," "relay.comanche.denmark," and "x-advert." (Some others: "email shark bulk e-mailer," "extractor pro," "dm pro," and "dynamic mail pro.") If you ban header text, you can eliminate a significant amount of spam created by automated programs. Many mail server packages and specialized anti-spam software allow you to ban header text. (3) Filter message body text and subject lines In addition to filtering TCP/IP addresses and header text, it is also important that your server or anti-spam software filter body text. Why is it important to filter body text? If a spammer relays spam through someone else's server, the "From:" address may be a valid or acceptable address that you allow to relay. However, the email address given in the body of the text may not be the same as the "From:" address, an indicator that the mail could be spam. While many mail servers lack the ability to filter body text, specialized anti-spam products and some high-end servers support this ability. Filtering body text and subject lines also allows you protection against the recent Melissa virus since "Melissa-tainted" email often includes the following telltale information: A subject line of: "Important Message From " A body with the following content: "Here is that document you asked for ... don't show anyone else ;-)" Recently, a major telephone company used MailShield anti-spam software to block the virus. The company filtered the subject and body text of incoming mail to stop the virus from spreading through their system. (4) Tarpit spammers In general, tarpitting involves creating delays that slow down the mail-sending sessions of spammers. In theory, tarpitting should discourage spammers by making it slow or difficult for them to send mail. However, there is no evidence that spammers can detect tarpitting. On the other hand, evidence shows that when tarpitting slows down mail-sending from a server that is used for unauthorized relaying, the owner of the server may (1) become aware of the unauthorized relaying if he or she wasn ,t aware of it before and (2) adopt higher security measures to avoid being tarpitted. Thus, tarpitting specific domains may have an indirect result of reducing spam by encouraging the owners of mail servers at legitimate sites to use anti-relaying techniques. Besides tarpitting specific domains, one might also tarpit users that attempt to send mail to large numbers of people. Spam software works by sending a single message, and a huge BCC (blind carbon copy) list to the server for delivery. If you know that your customers (in the case of an ISP) or employees do not need to send mail to more than 20 recipients per message, you might tarpit a mail-sending session that attempts to send mail to 50 recipients. If a person has copied 50 people, tarpitting can create a pause (such as 2 seconds) for recipients 21-50. Consequently, this delay can discourage spammers from using your server to send spam. Last, some anti-spam software also allows you to tarpit specific TCP/IP addresses. You can define TCP/IP ranges to allow specific hosts to connect to you and to tarpit hosts known to send spam. The Real-time Blackhole List (RBL) is a blacklist of Internet TCP/IP addresses known to send spam, or sent by hosts that condone spam. The RBL is located at http://maps.vix.com/rbl/ Before deciding to tarpit an address you can check the RBL to see if it is on the blacklist. However, keep in mind that the RBL also includes server addresses that are the victims of unauthorized relaying, so you may end up tarpitting servers that send legitimate mail. Note: The RBL is an effective way to reduce the spam you receive. It is important to keep in mind, however, that if you enable the RBL test, you may inadvertently refuse valid email from legitimate sites that may be unaware that they have been the victims of unauthorized relaying and are blacklisted. (5) Enforce internet standards Internet email standards basically state the following: All mail must include a "From:" header. All mail must include "To:" header. All mail servers must have a reverse DNS host entry. Spammers typically violate Internet mail standards. If you configure your mail server or anti-spam software to reject mail that does not comply with Internet standards, you can eliminate a great deal of spam. Keep in mind, however, that blocking mail from servers that do not allow reverse DNS look-up may also result in blocking mail from legitimate sites that have improperly configured servers. Anti-spam software like Lyris MailShield allows you to modify the rules for filtering mail and send an explanation message to users that their mail was rejected because the sending mail server does not comply with Internet standards for reverse DNS look-up. This message is particularly helpful for customers of ISPs, who can then inform their providers of the problem and encourage their ISPs to configure their mail servers appropriately and allow delivery of mail to servers that reject mail that does not comply with Internet standards. Although not explicitly stated, valid host values for the HELO command are also encouraged by the Internet standards. Since every mail server on the Internet should have reverse DNS lookups defined, every mail server should also provide a valid hostname as a HELO value. Rejecting mail that does not have a valid hostname is another way to reduce spam. It is also a good idea to reject mail that does not contain date headers although Internet standards do not require date headers. Many automated spam programs create messages without a "Date:" header. Checking mail for the presence of a "Date:" header will reject a fair number of spam messages. However, some automated programs that send legitimate mail also omit the "Date:" header. Before setting up your mail server or anti-spam program to block mail without date headers, you may wish to consider how important it is for you or organization to receive mail from automated programs. Conclusion With spam increasing steadily, it is important to take a proactive stance and arm yourself with knowledge about the methods that spammers use, so you can decide how to best implement strategies to block spam. The five strategies described here can help you reduce spam and limit exploitation of your hardware resources. Whether you are an individual, ISP or corporation, reducing or eliminating the flow of spam plays a key role in protecting your reputation, maximizing your hardware resources, and utilizing human energy and time most efficiently. Helpful anti-spam resources Site links to email filtering products: Lyris Mailshield SLmail NTMail Sendmail Other valuable resources: Coalition Against Unsolicited Commercial Email CAUCE is devoted to enacting legislation to stop spam.This site includes many helpful links and resources about spam. Spam.abuse.net Scott Haxen Mueller's "Fight Spam on the Internet!" answers basic questions about spam, and provides an expansive directory of spam-fighting information and resources. "Tracing the Spam" This useful article explains how to trace spam back to its source and how to lodge complaints with appropriate people. ================ Original press release for that issue: FOR IMMEDIATE RELEASE NEW NETPROFESSIONAL COVERS SPAM, SHERLOCK, WEBOBJECTS 4, MAC OS 8.5 -- Professional Journal for Web Developers and NetAdmins covers latest Apple technologies in Nov/Dec issue WESTLAKE VILLAGE, Calif. -- December 4, 1998 -- Xplain Corporation, publishers of NetProfessional(tm) magazine, revealed the contents of the November/December issue, just now arriving in subscribers' mailboxes. The print magazine, for web developers and network administrators, continues to grow as a technical journal packed with in-depth articles on a variety of current challenges users face, peer-reviewed by experts in the field. The cover of the new issue (Volume 2, Number 3) features Mac OS 8.5, Apple's latest OS upgrade. Two stories in the magazine cover aspects of 8.5 in great detail. One, by acclaimed author Maria Langer, shows what's new for network administrators in the OS update, with close-up views of interface elements that have changed since previous OS releases. A second story, by Alex Kac of WebIS, shows how to create plug-ins for the Search Internet component of Sherlock, so users can make their sites directly searchable from the desktop; code examples are provided in both Tango and Lasso. Another major feature story in the issue covers server-side techniques for detecting and preventing Spam, on a variety of platforms and mail applications. The extensive piece, by MailShield author John Buckman of Lyris, is complemented by sidebars on spam-bait techniques that you can apply to webservers. "The anti-spam article really illustrates what NetProfessional is all about," said Editor Raines Cohen. "We take a topic and examine it in depth, providing information useful to both web developers and network administrators, and help them better understand one another." Another feature article in the issue looks at webserver performance, and how to best measure and optimize it. Author Mark Kriegsman of Clearway Technologies makes the case that what's important is not how many pages per second you can serve, but how many seconds per page, that determines the quality of your users' experience on your site. "[This] is one of those articles that is worth the entire year's subscription price of the magazine," said Jacob Merriwether, President of Quality Computer Systems, Inc. The issue also carries an exclusive interview with Allen Denison, product manager for WebObjects at Apple, about the recent release (4.0) of the enterprise web-application development tool. We surprised Allen by bringing to the interview two experienced WebObjects users from the e-commerce firm Kagi, to provide hard-hitting questions about the product to deliver the information that NetProfessional readers need to know. NetProfessional's regular columnists are hard at work for readers as well in the latest issue. NetProLive, by our online editor Todd Stauffer, discusses online resources for XML development. And Chuq von Rospach, in his "From the Trenches" column, shows tricks (using Maxum's NetCloak) for compensating for inter-platform font size differences, asking, "Can We Kill the Browser Vendors now?" And in this issue's NetTips column, Kurt van der Sluis shows how to use network-probing tools from the AG Group to track down problem net devices in an unconventional way, in "Find that Node". Also in the iss ue, Michael Clasen reviews Tango for FileMaker 3.1, showing the process of creating interactive queries in the web-to-database middleware tool. The November/December issue of NetProfessional (Volume 2, Number 3) is now available at selected booksellers and newsstands domestically -- including many Barnes & Noble superstore locations and other fine resellers. Better yet, discount RISK FREE subscriptions are available at the magazine's Website, <http://www.netprolive.com/>. A table of contents is posted online but the magazine content itself will NOT be available on the Website. NetProfessional -- How to Get It NetProfessional is available for only $19.95 for six issues for U.S. subscribers -- OVER 50% OFF the cover price! (US$44.95 International, US$25.95 Canadian) If you're not a current subscriber to NetProfessional, sign up today -- send no money. Just visit the NetProfessional web site at <http://www.netprolive.com/> and sign up RISK FREE for NetProfessional. There's no risk to you, so act now! When you must reach key web developers and network administrators with your advertising message, contact NetProfessional's ad sales department at mailto:adsales@netprolive.com Corporate Background: Xplain Corporation has three divisions -- publishing, mail order and custom services. The publishing division includes MacTech(r) Magazine http://www.mactech.com/, NetProfessional(tm) Magazine http://www.netprolive.com/, and THINK Reference(tm). The mail order division operates Developer Depot(r) http://www.devdepot.com/, Depot Store(sm), and the Depot(sm). Custom services provides custom publishing and trade show services including such projects as Developer Central(r) and fulfillment services. Founded in 1984, the company has its offices in Westlake Village, California. For more information on Xplain Corporation or any of its products/services, point your browser to http://www.xplain.com/, call the main offices at 805-494-9797, fax at 805-494-9798, send an e-mail to mailto:info@xplain.com, or send snail mail to PO Box 5200, Westlake Village, CA 91359-5200, USA. Media Contact: Nick DeMello Xplain Corporation marketing@netprolive.com 805-494-9797 x105