TISPA Spam Information Page

This page is under development. At the time of writing, it is NOT an official TISPA page. It currently reflects the experience and views of one individual - me. My intention is for this page to develop into a forum for TISPA members to contribute their opinions and information, and at some time in the distant future when a concensus has been reached, to state that these pages reflect the views of TISPA members. However - journalists please note - that time is not now.

Since this page is under development, no attempt is being made yet to add a glitzy professional presentation; much of the content here will just be a skeleton to be fleshed out later as I work out what is needed on these pages. Give me time; it'll appear.

Now, without further ado, to business:

Contents

The $64,000 question
Spam is information pollution. Spam is wasting people's valuable time. Spam is abusing other people's resources. Spam is making the recipient pay for the sender's business.
Well, I know it when I see it!
Spam is in many ways like pornography; there is currently no hard-and-fast definition of spam, but everyone likes to think they know it when they see it. Unfortunately, different people see different things, particularly if one person is a spammer and another is a spamee. In these pages we hope to come to a concensus of what exactly spam is, so that any new anti-spam legislation can be worded in a way that doesn't punish the innocent while letting as few of the guilty slip through the noose as can me managed. Here are several possible definitions of email spam:
You *really* should have known better...
A significantly large number of spams are addressed at ISPs trying to sell us software or equipment or technical support to make our lives easier. Yeah, right. You'd think spammers would have more sense than specifically target the most knowlegable users on the net, but I guess no-one ever went broke underestimating the stupidity of the average spammer. Or a few ISPs if anyone ever took them up on any of these offers.

Anyway, the significant thing about these spams is that the address lists they use come from published lists of ISP contact addresses put out by various web sites and paper publications. These lists were created with the express intention of making it easier for a potential customer to find a suitable ISP in his area. In my personal opinion there's not a damned one of them worth the effort, and I've been trying (unsuccessfully) to get off all of them for over a year now. The reason being that for every genuine request for service, we've received maybe 100 unsolicited attempts to sell *us* something. That's not why we put our names on those lists. Frankly, I doubt if these lists benefit *any* ISP overall; they're specifically meant for finding *local* ISPs, and in almost all localities, there are much easier ways of finding an ISP than looking on the net for one (where you might be assumed to have an account already). Local word of mouth; local Yellow Pages; even the local library are all good ways to find a local ISP. In two years on all the big lists we've had 3 people signup who found us on the net.

That was just getting a rant off my chest by the way, I don't have anything positive to contribute here except that perhaps legal recourse may be necessary for people who advertise your services when you don't want them to or do so in a way which brings disrepute on you. I believe current law already has suitable remedies for this situation.

Actually, yes - there is a point to be made here: when a company advertises an address like "support@my-isp.com", it expects to get support email there. When junkmail arrives on that address - man hours are spent wading through the junkmail in order to get to the legitimate postings of users of the service looking for support. It would be nice to say that unsolicited commercial mail should never be sent to addresses that are for potential or current customers, but how could that ever be enforced? "support@..." is an easy one; but what about "staff@" or "sales@". Who decides what is obvious? What I do is attach a message next to my email address saying it is not to be used for solicitations and that answering mail for solicitations will be charged at $X/hr or part thereof - but by the time our email address ends up in one of those lists, that comment has been long lost.

Sue and be damned!
Personally, although I do my best to reduce spam by technical means (ADD: technical discussion) and a vain attempt to twist existing laws (ADD: standard spam reply), I genuinely believe that the scourge of mass spamming will only ever be handled properly when there is Federal legislation (See what happens with purely State legislation. Here too for more comments.) in place to make it illegal. However at TISPA we are concerned that legislation is often created under time pressure and as a result is usually too heavy-handed for the job: it may have an adverse effect on legitimate commerce and the business of ISPs. Consequently we want to develop in these pages sound guidelines which will be available to any potential legislator for use in drafting new bills against spam. (ADD: link to current new bill, with problems)

HOT NEWS:

Recently a Texas ISP was third-party spammed. This time we're fighting back: see the lawsuit that TISPA Attorney Pete Kennedy has filed.
Technical solutions:
TISPA is standing at the forefront of the technical resolution of the spam problem by being the first group to make public an effective spam filter which works way down inside the guts of the system at the point the email is received: the mail daemon. We have a replacement module for sendmail which cuts out spam very effectively. There are also solutions for SMAP, and many filters that can be run by users if their ISP cannot put in a global filter. The TISPA filter is configurable to enable/disable spam for individual users.
Received: from spammer.com via goodisp.com for user@elsewhere.com
This is probably the issue most close to the hearts of TISPA members. Because mass junk mailing is banned by many providers, spammers sometimes bypass their providers email system with its built-in checks, and use some other providers mailer to send out thousands and thousands of emails. These other providers are not being paid for this use of their facilities, and would not allow it if they knew it was going on (ADD: legal issues on need for advanced warning vs legislation question) or had the technical ability to stop it. (ADD: technical help in blocking)
"I will spell-check your unsolicited ad for $500!"
Following some successful campaigns against junk telephone calls, where the recipient offered to do business for the caller by virtue of allowing them to use his home and telephone to conduct their business, some netizens have tried this tactic against junk mail.

However, as an ISP on the receiving end of some of these complaints, I have to say they're not always thought out clearly. The premise is that you have said you will do something with unsolicited mail for a fee. In that case, you are explicitly soliciting the mail as part of an implied contract which is accepted when the sender sends you the mail. That's all very good and maybe you have a chance of pursuing it in the courts, but *don't* think you can also complain to the sender's ISP and try to get their account cancelled. It's either solicited by you for a commercial contract, in which case you take them to court yourself to get your fee, or it's unsolicited and you can complain to the ISP to get them kicked off their service. You can't have your cake and eat it however.

neat! This'll save me *hours* of spamming!
A particularly insidious form of spamming is to send one mail to a mailing list, and let the owner of the mailing list bear the cost of sending the junk to hundreds or thousands of readers. Because of this, many mailing lists have been forced to become moderated, wasting their moderators time, in order to filter out the spam. Some mailing list programmers have had to write additional code to handle spams (such as only accepting posts from list members), again wasting people's time. LSOFT, the commercial firm that now runs the LISTSERV software, has done an excellent job of automatic spam detection, and runs a network of linked list servers that share spam information with each other. I believe that something like this may one day be needed by ISPs for email, with support built in at the sendmail level. (ADD: See legal issues about blacklisting)
Net.WarZ
That'll show him!
Harassment: forcible addition to unwanted mailing lists.

One form of usenet harassment/denial-of-service attack is to subscribe someone to multiple (usually busy) mailing lists, by virtue of forged postings. Although this illegality is covered by current laws (probably), it's hard to trace and easy to do. I can't see any way of making it less hard to trace, short of very draconian laws indeed, but there is a way of making it harder to do: many mailing lists have a two-part submission scheme; you sign up normally, then receive a mail in reply which contains a magic cookie; you then return that magic cookie to the list and only then do they subscribe you.

Mailing lists without this simple checking procedure are easily abused, and I would personally favor legislation that insisted that this was the norm. I don't know how my TISPA colleagues would feel about this however. (ADD: discussion)

Spambots
Spambots are programs which regularly scan usenet or other areas (ADD: link to AOL chatroom spambots, IRC spambots, etc), extracting email addresses from the headers (and sometimes the bodies) which are then used as recipients of spam. Or oftentimes they're just sold on in MLM marketing scams to other wannabe spammers and metaspammers.

This practise of mailing people who post to usenet has made some areas of usenet all but unusable. As an experiment, I recently created a new account and made ONE single post to usenet with it; the account has never sent *any* email offsite; our account names are not published elsewhere, so any mail that account ever received must come as a result of its usenet posting. In the two weeks to date since it posted, it has received SIXTY-EIGHT spams. The most common of them being people trying to sell me junkmail lists or junkmail services. (The address is changed in the file referenced above just so posting it here doesn't attract any more spams. You can see the real address from the DejaNews link). This junk has been excellent test fodder for our new junkmail filtering software. (ADD: whole section on filter code)

Blocking

So, how can we block email spam? Well, there are three main ways:

Router Blocking

This is a tactic currently being exercised by a group of ISPs who have configured their routers to block mail connections to their networks from people on a blacklist of banned IP addresses. This is done by sharing a BGP4 feed of routes, where the bad guys are routed to the null route. Blocking in this fashion has the advantage that the ISP's machines never even see the spam to begin with, and therefore aren't affected by gross volumes of spam arriving which would have to be disposed of using one of the methods below. It has the disadvantage that you have to be running BGP4 routing, which many small single-homed ISPs are not doing. (Current advice is that single-connection ISPs *should not* run BGP4, to keep the routing table size down). There's also a question (I don't know if this is significant or not - haven't asked anyone doing it) of whether the filters slow down ordinary packets on the net. I believe having a large number of specific filters is bad for performance, but using the null route trick may be quite efficient.

Router blocking means that the sender fails to connect, and causes mail queues to build up at the sender's end. This is probably a good thing in the case of spammers but bad in general. It also is indiscriminate, and blocks both third-party spam and mail directly to your users. Depending on how you interpret the legal situation on blocking mail to your users (do you have their consent?) this may be a bit too heavy-handed.

Daemon Blocking

You can configure your SMTP daemon (let's say sendmail here, though some people use others) to reject mail on various grounds. This can be a good way to block because the sender can get an explicit message back saying why the mail was blocked. Sendmail blocking can be set up to either block third-party spams only, or to block mail to users, or both; it can selectively block access from specific sites on a network rather than always the whole network, and it can block mail to specific users. It can also be made to catch outgoing spams from local users posted through your service. However, none of this is easy and most of it requires a deep understanding of sendmail, and writing code to hook into sendmail, so would cost a lot of manpower on behalf of the ISP. This waste of our time is another reason why spam is bad.

The latest version of sendmail has a lot more support for these things built-in, including finally tcp_wrapper support. I would like to think that Tispa ISPs would co-operate in adding more anti-spam features to sendmail.

Something I would dearly love to see, but doubt anyone has the manpower for such an ambitious project, would be a major revision of sendmail where it has spamfilters built-in in the manner of LSOFT's LISTSERV network, which exchanges spam information between sites. There are however some major privacy concerns that would need to be met before a project like that could be emulated for personal email as opposed to public mailing lists.

In the meantime, I have developed and am releasing for TISPA members some modifications to sendmail which do third-party blocking, and experimentally on a per-user baseis, spam filtering.

Andrew Daniel has written an easy to use perl utility which can check if your mail host is vulnerable to third-party relaying. (If it doesn't work first time, change the #!/usr/bin/perl to use perl5

Delivery Blocking

Finally, a less intrusive form of spam-blocking is to block at the point of final user-delivery. This can either be done on the user's own system, if it is powerful enough, or by the ISP as he saves the messages into the user's shell or Pop3 mailbox (assuming that's how the ISP is configured; not all are.) Although personally I would prefer to spend the effort on sendmail blocking, I am currently running an experiment with delivery-agent blocking because it is much easier and less disruptive to a running service to experiment in a way that only affects one user. The filtering software I am working on tags a piece of mail as spam by inserting an extra header into the mail before filing it. The user can then filter for the presence of that header and make up his own mind how to dispose of the mail. This method has the advantage of giving the ISP some degree of immunity from lawsuits by spammers who say we're interfering with their trade, but has the disadvantage that the user still has to download the mail in order to handle it. Personally I sidetrack all tagged mail to a 'probably-spam' mailbox, then check it once a day for anything that may be legitimate mail that slipped through.

There's a trade-off here to be made: do you write aggressive filters that catch all spam, but also some non-spam, or do you write conservative filters that guarantee everything they catch is spam, but don't catch all of it? Personally I prefer the aggressive approach coupled with a buffer mailbox to check things before I delete them, but others may want to trash it unread and would therefore insist on the conservative approach. This is all just detail and can be parameterized in later versions of the code.

Tracking spam
A truly enthusiastic spammer-hunter has many tools at his disposal, but they all start with a careful reading of the mail. You can get clues about the spammer both from the headers and form the body of the text. It's also extremely useful to have a good memory and a good collection of previously-received spam.

Many of the major spamming outfits work by getting disposable dialup accounts from big providers like AT&T and UUNET, and they use those to inject the mail at yet another providers site, and the injected mail has either a fake return address or a disposable return address somewhere like juno or hotmail, and for good measure they throw in some faked Received: lines as well. The ones whoe are spamming from their own T1-connected sites have other tricks like spoofed reverse DNS, not to mention an ISP that is actually the same company as the spammer in disguise, so that complaints to the ISP are apparently handled well but in reality the spammer continues.

So, tracking a spammer from the headers is difficult but not always impossible; however, what is much more fun is tracking the spammer from the content of the mail. This is easy because spammers are by nature greedy people; although they go to great lengths to keep their real email addresses out of their spams, and usually supply the requested article by postal mail in response to orders mailed to a mailbox company, they very seldom go to the bother of ordering a new telephone number for the purposes of sending a one-off round of spam. So, when you get a completely anonymous junk mail that contains a telephone number, search the net for that number and see if they are using it in their advertising on some other web page somewhere. Chances are high they are. Reverse phone number lookups and phone CDs are useful here too.

Similarly, though to a lesser extent, you can track the rented mailbox addresses: even if you can't find that particular mailbox number, you'll find other people using the same mailbox service; if one of those people is in a similar line of business to that advertised in the spam, you may have found your man. You can also tell from the area code in the phone number or the dropbox address what region of the country the spammer is in; do a search for similar businesses in that region, then when you find one, check the wording of their web page info for similarities to the copy in their ads. Remember, Alta Vista is your most powerful tool; use it. Anyone who is willing to resort to spam to advertise their services is very likely to have already tried advertising the same thing on the web.

After a time, you learn to spot very quickly when you've found the spammer and when it's just a coincidence of name or address. Following a spam up in email to the person behind it, without any explanation of how you know it was them who sent it, can be very unnerving for a spammer who thinks he was well hidden behind "THE LATEST IN CLOAKING TECHNOLOGY!!!" of whatever junkmail program he was suckered into using :-)

For the less clued among us, there is a program (I haven't tried it) called Spam Hater which reportedly does some of the work in tracking down a forged spam. This was written by one of my British compatriots - we Brits have a strong incentive to cut down on incoming spam: 1) we pay for local calls by the minute at a rate that Americans would associate with Long Distance calls; 2) 99% of the spams received in Britain are advertising goods for sale in the US that we have no interest in. (Actually that applies to most Americans' view of spams too :-) )

Note: when you track down a spammer, whether from a web page or a whois entry, file the info you found for later because whois entries for spammers change rapidly - they very often realise they made a mistake putting real contact details in, and replace them with fake ones; and they take their personal home phone number off their web page when they get an irate phone call at 2am from someone who has just been spammed at 2am.

Finally, here are the so far uncategorised entries from my bookmark file to do with spam and various forms of net abuse. The best of these will be worked into the report above as I find suitable hooks to hang them on.

Newsgroups

news:news.admin.net-abuse.misc
news:news.admin.net-abuse.email
news:news.admin.net-abuse.usenet
news:alt.spam
news:alt.stop.spamming

Web Sites

Like all bookmark files, the most recent stuff is at the end. Most of the spam stuff is in the middle. Some things here aren't strictly spam-related but are close enough that they're a useful reference to have on hand.

EFF "Network Information & Resources" Archive
Internet Code of Conduct
Blue Netpages--Understanding Electronic Mail
Blue Netpages--Internet Survival Tips
ROMANTASY: Responsible Use of the Internet
Lycos search: telemarketing consumer protection act tcpa
I'm NOT Miss Manners of the Internet
The Net: User Guidelines and Netiquette, by Arlene Rinaldi
http://rs6000.adm.fau.edu/rinaldi/net/spanish.txt
Internet Code of Conduct - Blue NetPages - Aldea Communications
Social Security Numbers and privacy
http://www.muc.edu/cwis...nson/BensonPrivacy.html
The D-SPAM Initiative
STOP UCE - Uninvited Comercial E-mail
Junkbusters: JUNKBUSTERS Home Page
EPIC Privacy Archives
Junkbusters: U.S. laws concerning direct mail
Consumer's Guide to Postal Services & Products
Represent Yourself In Court
Campaign to Stop Junk Email
rfc1173 -postmaster@ required
National Fraud Information Center 1-800-876-7060
I HATE Junk E-Mail Web Page
telephone junk
Telemarketing Tips
JUNKBUSTERS Home Page
Rules For Telephone Solicitations
The DMA | Shop At Home Information Center
Social Security Number FAQ
CHRONOLOGY OF SOCIAL SECURITY NUMBER (SSN) EVENTS
About the Code of Federal Regulations
JUNKBUSTERS Links to other resources
People Finding Tools
Privacy Rights Clearinghouse SSN page
Privacy Rights Clearinghouse
*Publications*
Privacy Rights Clearinghouse - Telemarketing Calls
Private Citzens Inc.
How to Get Rid of Junk Mail, Spam, and Telemarketers
Blacklist of Internet Advertisers
The Netizen's Guide to Spam, Abuse, and Internet Advertising
Junk Email: America Online Profits from its deliberate indifference toward junk email and chain letters (& links re: Bulk Email, Chain Letters, Email America, Cyber Promotions - Promo Enterprises, and Business Link - BusinessLink)
http://www.metareality....han/visit.cgi/html.Spam
Get that spammer!
The Anti-UMail FAQ
Outlaw Junk E-mail Now
PREFFERREDMAIL
The Judge Said
Fed up with junk phone calls? UK
Broadcast Fax and Junk Email: Illegal Under 47 U.S. Code 227
Rogue sites
Fight Spam on the Internet!
Index of /pub/vixie/
NFIC - Contacting Other Agencies Online
Dan Garcia's Spam Homepage
Report those damn Spammers!
http://www.metareality....cgi/spam/html.Offenders
Fight Junk Mail!
Database America People Finder
Common Carrier Bureau Home Page
PeopleFind
AltaVista Search: Simple Query "wilbert m" +astroluz
The Net Abuse FAQ
Carroll Publishing: Vital Government Directories
Big Dummy's Guide to the Internet - ISO 3166 Codes (Valid TLDs in email)
Los Angeles County District Attorney Gil Garcetti's Statement
The Golden Key Campaign for Private Communications Online
Computer Crime Squad
Internet JUNKBUSTER Technical Information
Internet JUNKBUSTER Frequently Asked Questions
Filtering the Web using WebFilter
Make Money Fast
Lasu's net abuse links
Current Usenet spam thresholds and definitions
BadISPs.html (last edited 1997.Feb.20 08:26 PST)
SPAMMER TOOLS: Astroluz list & BulkMan Pro
Bulk E-Mail Tools
Junk email mail sending pondscum
Tracking Down Internet Baddies
ISP: Internet spam provider
http://www.rahul.net/dhesi/nojunk.txt
http://www.rahul.net/guest/a2i-nojunk.1.txt
http://www.rahul.net/dhesi/court/
http://www.rahul.net/dhesi/planet/20.msg
Death of the CancelBot
Email Spam
http://www.panix.com/shared-filter-rules
Infinite Ink's Processing Mail with Procmail
Blacklist of Internet Advertisers
The Cancelmoose[tm] Home Page
Net.Abuse Links
Netizens Against Gratuitious Spamming
http://www.cs.hmc.edu/~...gs/nags_filter/spammers
Netizens Against Gratuitious Spamming
http://www.io.com/~johnbob/jm/jmdigest
Stop Unsolicited Mass E-Mail Advertisements!
Cyberpromo FAQ
PC411 Search Page - reverse phone number search
VTW | Unsolicited Commercial Email
Combatting Spam... the fight against unsolicited e-mail
Internet Query Tools
Internet Address Finder
Reference: People Finder
Fight Spam on the Internet!
Why is spam bad?
The Net Abuse FAQ
RFC 1855: Netiquette Guidelines
http://www.crl.com/~sjk...ws-admin-net-abuse.html
Get that spammer!
EmailAbuseLog.html (last edited 1997.Feb.28 00:26 PST)
NetAbuse.html (last edited 1996.Mar.05 23:12 PST)
BadISPs.html (last edited 1997.Feb.20 08:26 PST)
ComplainToWhom.html (last edited 1997.Mar.16 02:50 PST)
alt.spam FAQ or "Figuring out fake E-Mail & Posts". Rev 961119
Stop Spam!
List of spamming domains (updated regularly)
Advertising on Usenet: How To Do It, How Not To Do It
Commercial considerations in newsgroups
MMF Hall of Humiliation
MMF Of The Week - "REPORT scam"
Chain Letter Consequences
Chain letters
pyramid schemes, chain letters and PONZI schemes
MLM schemes
MLM harassment
Amway
The GIGO Game
Your Pals at Promo Enterprises
TCPA
Spammers Paradise
Spammers of the Week
News Flash
CASHFLOW Morons
The Great Peering Debate
The War on Spam
Other MMF Links
Information Filtering Resources
The Email Abuse FAQ
Join the Fight Against Spam!
Firewalls mailing list
CNET features - how to - stop spam
CNET features - how to - stop spam - make yourself invisible on mailing lists
Stop AGIS' network abuse!
The Steve Winter FAQ - religious spam
Rogue's Gallery of Net Abusers
Cyber Promotions / Promo Enterprises - Harassing Thousands With Bulk Junk Email Daily (Sanford Wallace)
http://www.cyberpass.ne...e/cyberpromo-ruling.txt
http://www.cyberpass.ne...e/cyberpromo-cases.html
AOL PreferredMail(tm) List
http://www.nntp.primenet.com/cgi-bin/feed/stats (where some spammers get their newsfeeds to trawl for names)
Sendmail Home Page
Anti-Spam Provisions in Sendmail 8.8
Index of /~asgilman/spam
http://www.informatik.u...a/email/checkcompat.txt
OTHER CONFIGURATION
Hints about sendmail/e-mail
Links to e-mail related sources
Using check_* in sendmail 8.8
Using a database in the check_* rulesets
reject-mail
DeniedIP
spammer
Public Link Corp. Home Page
Network Law
Department of Public Safety
Public Link Corp. Texas Vehicle License Plate
Public Link Corp. Texas Driver's License
U.S. House of Representatives - Internet Law Library - U.S. Code (searchable)
U.S. House of Representatives Internet Law Library
Texas Legislature Online
Transportation Code - Title 7 - Subt B - Ch 521 - Subch C - Sec 50
Transportation Code - Title 7 - Subt B - Ch 521 - Subch C - Sec 52
Kill the spammers, let the maggots sort them out
Links to other anti-spam sites!
Anti-Spam Intelligence Center
Antispam Web Page
Spamsites
The Unsolicited Email Site List
# INTERNET SPAM CONTROL CENTER #
Get that spammer!
Compuserve v. Cyber Promotions
How to Get Rid of Junk Mail, Spam, and Telemarketers
The Anti-UMail FAQ
Other Voices on spam
ISP/C Policy Statement: Spam
Junk e-mail Call to Action
wyp.net to close its doors
Save-the-facts
Other Anti-junk e-mail Sites
No spams: Online guides to thwarting junk E-mail
Junk Mail
Censorware Search Engine
CYBERsitter filter file codebreaker
CRADLE Main Page
Bigfoot Anti-Spamming Defense System
The Spam Page
Implementing Warnings for AGIS Netblocks
I-way: Beating the Spammers
INFOSEARCH® presents Mr. Smith E-Mails...
WIRED articles on spam
The Spam Patrol
Excellent article on tracking spam
Computerworld article on flowers.com
All Computerworld articles on spam
FCC Clampdown on spam
Antispammers slam first spam law
Blocking mailed spam
A very good reply to a spammer from an ISP
Another Spamford lawsuit (Bigfoot)
Netcom antispam measures revoked (C|Net)
Spamford apparently kicked off AGIS? (C|Net)
Notes on stopping UCE (posted to NANOG)

This page is maintained by Graham Toal