Since this page is under development, no attempt is being made yet to add a glitzy professional presentation; much of the content here will just be a skeleton to be fleshed out later as I work out what is needed on these pages. Give me time; it'll appear.
Now, without further ado, to business:
Anyway, the significant thing about these spams is that the address lists they use come from published lists of ISP contact addresses put out by various web sites and paper publications. These lists were created with the express intention of making it easier for a potential customer to find a suitable ISP in his area. In my personal opinion there's not a damned one of them worth the effort, and I've been trying (unsuccessfully) to get off all of them for over a year now. The reason being that for every genuine request for service, we've received maybe 100 unsolicited attempts to sell *us* something. That's not why we put our names on those lists. Frankly, I doubt if these lists benefit *any* ISP overall; they're specifically meant for finding *local* ISPs, and in almost all localities, there are much easier ways of finding an ISP than looking on the net for one (where you might be assumed to have an account already). Local word of mouth; local Yellow Pages; even the local library are all good ways to find a local ISP. In two years on all the big lists we've had 3 people signup who found us on the net.
That was just getting a rant off my chest by the way, I don't have anything positive to contribute here except that perhaps legal recourse may be necessary for people who advertise your services when you don't want them to or do so in a way which brings disrepute on you. I believe current law already has suitable remedies for this situation.
Actually, yes - there is a point to be made here: when a company advertises an address like "support@my-isp.com", it expects to get support email there. When junkmail arrives on that address - man hours are spent wading through the junkmail in order to get to the legitimate postings of users of the service looking for support. It would be nice to say that unsolicited commercial mail should never be sent to addresses that are for potential or current customers, but how could that ever be enforced? "support@..." is an easy one; but what about "staff@" or "sales@". Who decides what is obvious? What I do is attach a message next to my email address saying it is not to be used for solicitations and that answering mail for solicitations will be charged at $X/hr or part thereof - but by the time our email address ends up in one of those lists, that comment has been long lost.
However, as an ISP on the receiving end of some of these complaints, I have to say they're not always thought out clearly. The premise is that you have said you will do something with unsolicited mail for a fee. In that case, you are explicitly soliciting the mail as part of an implied contract which is accepted when the sender sends you the mail. That's all very good and maybe you have a chance of pursuing it in the courts, but *don't* think you can also complain to the sender's ISP and try to get their account cancelled. It's either solicited by you for a commercial contract, in which case you take them to court yourself to get your fee, or it's unsolicited and you can complain to the ISP to get them kicked off their service. You can't have your cake and eat it however.
One form of usenet harassment/denial-of-service attack is to subscribe someone to multiple (usually busy) mailing lists, by virtue of forged postings. Although this illegality is covered by current laws (probably), it's hard to trace and easy to do. I can't see any way of making it less hard to trace, short of very draconian laws indeed, but there is a way of making it harder to do: many mailing lists have a two-part submission scheme; you sign up normally, then receive a mail in reply which contains a magic cookie; you then return that magic cookie to the list and only then do they subscribe you.
Mailing lists without this simple checking procedure are easily abused, and I would personally favor legislation that insisted that this was the norm. I don't know how my TISPA colleagues would feel about this however. (ADD: discussion)
This practise of mailing people who post to usenet has made some areas of usenet all but unusable. As an experiment, I recently created a new account and made ONE single post to usenet with it; the account has never sent *any* email offsite; our account names are not published elsewhere, so any mail that account ever received must come as a result of its usenet posting. In the two weeks to date since it posted, it has received SIXTY-EIGHT spams. The most common of them being people trying to sell me junkmail lists or junkmail services. (The address is changed in the file referenced above just so posting it here doesn't attract any more spams. You can see the real address from the DejaNews link). This junk has been excellent test fodder for our new junkmail filtering software. (ADD: whole section on filter code)
So, how can we block email spam? Well, there are three main ways:
Router BlockingThis is a tactic currently being exercised by a group of ISPs who have configured their routers to block mail connections to their networks from people on a blacklist of banned IP addresses. This is done by sharing a BGP4 feed of routes, where the bad guys are routed to the null route. Blocking in this fashion has the advantage that the ISP's machines never even see the spam to begin with, and therefore aren't affected by gross volumes of spam arriving which would have to be disposed of using one of the methods below. It has the disadvantage that you have to be running BGP4 routing, which many small single-homed ISPs are not doing. (Current advice is that single-connection ISPs *should not* run BGP4, to keep the routing table size down). There's also a question (I don't know if this is significant or not - haven't asked anyone doing it) of whether the filters slow down ordinary packets on the net. I believe having a large number of specific filters is bad for performance, but using the null route trick may be quite efficient.
Router blocking means that the sender fails to connect, and causes mail queues to build up at the sender's end. This is probably a good thing in the case of spammers but bad in general. It also is indiscriminate, and blocks both third-party spam and mail directly to your users. Depending on how you interpret the legal situation on blocking mail to your users (do you have their consent?) this may be a bit too heavy-handed.
Daemon Blocking
You can configure your SMTP daemon (let's say sendmail here, though
some people use others) to reject mail on various grounds. This can
be a good way to block because the sender can get an explicit message
back saying why the mail was blocked. Sendmail blocking can be set up
to either block third-party spams only, or to block mail to users, or
both; it can selectively block access from specific sites on a network
rather than always the whole network, and it can block mail to
specific users. It can also be made to catch outgoing spams from
local users posted through your service. However, none of this is
easy and most of it requires a deep understanding of sendmail,
and writing code to hook into sendmail, so would cost a lot of
manpower on behalf of the ISP. This waste of our time is another
reason why spam is bad.
The latest version of sendmail has a lot more support for these
things built-in, including finally tcp_wrapper support. I would like
to think that Tispa ISPs would co-operate in adding more anti-spam
features to sendmail.
Something I would dearly love to see, but doubt anyone has the manpower
for such an ambitious project, would be a major revision of sendmail where
it has spamfilters built-in in the manner of LSOFT's LISTSERV network,
which exchanges spam information between sites. There are however some major
privacy concerns that would need to be met before a project like that could
be emulated for personal email as opposed to public mailing lists.
In the meantime, I have developed and am releasing for TISPA members
some modifications to sendmail which do third-party
blocking, and experimentally on a per-user baseis, spam filtering.
Andrew Daniel has written an easy to use perl utility which can check if your
mail host is vulnerable to third-party relaying. (If it doesn't work first time, change
the #!/usr/bin/perl to use perl5
Delivery Blocking
Finally, a less intrusive form of spam-blocking is to block at the
point of final user-delivery. This can either be done on the user's
own system, if it is powerful enough, or by the ISP as he saves the
messages into the user's shell or Pop3 mailbox (assuming that's how the ISP
is configured; not all are.) Although personally I would prefer to
spend the effort on sendmail blocking, I am currently running an experiment
with delivery-agent blocking because it is much easier and less disruptive
to a running service to experiment in a way that only affects one user.
The filtering software I am working on tags a piece of mail as spam by
inserting an extra header into the mail before filing it. The user
can then filter for the presence of that header and make up his
own mind how to dispose of the mail. This method has the advantage
of giving the ISP some degree of immunity from lawsuits by spammers
who say we're interfering with their trade, but has the disadvantage
that the user still has to download the mail in order to handle it.
Personally I sidetrack all tagged mail to a 'probably-spam' mailbox, then
check it once a day for anything that may be legitimate mail that
slipped through.
There's a trade-off here to be made: do you write aggressive filters
that catch all spam, but also some non-spam, or do you write
conservative filters that guarantee everything they catch is spam, but
don't catch all of it? Personally I prefer the aggressive approach
coupled with a buffer mailbox to check things before I delete them,
but others may want to trash it unread and would therefore insist on
the conservative approach. This is all just detail and can be parameterized
in later versions of the code.
Many of the major spamming outfits work by getting disposable
dialup accounts from big providers like AT&T and UUNET, and
they use those to inject the mail at yet another providers site,
and the injected mail has either a fake return address or a disposable
return address somewhere like juno or hotmail, and for good measure
they throw in some faked Received: lines as well. The ones whoe
are spamming from their own T1-connected sites have other tricks
like spoofed reverse DNS, not to mention an ISP that is actually
the same company as the spammer in disguise, so that complaints
to the ISP are apparently handled well but in reality the spammer
continues.
So, tracking a spammer from the headers is difficult but not always
impossible; however, what is much more fun is tracking the spammer
from the content of the mail. This is easy because spammers
are by nature greedy people; although they go to great lengths
to keep their real email addresses out of their spams, and usually
supply the requested article by postal mail in response to orders
mailed to a mailbox company, they very seldom go to the bother
of ordering a new telephone number for the purposes of sending a
one-off round of spam. So, when you get a completely anonymous
junk mail that contains a telephone number, search the net for
that number and see if they are using it in their advertising
on some other web page somewhere. Chances are high they are.
Reverse phone number lookups and phone CDs are useful here too.
Similarly, though to a lesser extent, you can track the rented mailbox
addresses: even if you can't find that particular mailbox number, you'll
find other people using the same mailbox service; if one of those
people is in a similar line of business to that advertised in the
spam, you may have found your man. You can also tell from the
area code in the phone number or the dropbox address what region
of the country the spammer is in; do a search for similar businesses
in that region, then when you find one, check the wording of
their web page info for similarities to the copy in their ads.
Remember, Alta Vista is your most powerful tool; use it. Anyone who
is willing to resort to spam to advertise their services is very
likely to have already tried advertising the same thing on the web.
After a time, you learn to spot very quickly when you've found
the spammer and when it's just a coincidence of name or address.
Following a spam up in email to the person behind it, without any
explanation of how you know it was them who sent it, can be very
unnerving for a spammer who thinks he was well hidden behind
"THE LATEST IN CLOAKING TECHNOLOGY!!!" of whatever junkmail
program he was suckered into using :-)
For the less clued among us, there is a program (I haven't tried it)
called Spam Hater which reportedly does some of the
work in tracking down a forged spam. This was written by one of my
British compatriots - we Brits have a strong incentive to cut down
on incoming spam: 1) we pay for local calls by the minute at a rate
that Americans would associate with Long Distance calls; 2) 99% of
the spams received in Britain are advertising goods for sale in the US
that we have no interest in. (Actually that applies to most Americans'
view of spams too :-) )
Note: when you track down a spammer, whether from a web page or a whois entry,
file the info you found for later because whois entries for spammers
change rapidly - they very often realise they made a mistake putting
real contact details in, and replace them with fake ones; and they
take their personal home phone number off their web page when they get
an irate phone call at 2am from someone who has just been spammed
at 2am.
Tracking spam
A truly enthusiastic spammer-hunter has many tools at his disposal,
but they all start with a careful reading of the mail. You can get
clues about the spammer both from the headers and form the body
of the text. It's also extremely useful to have a good memory
and a good collection of previously-received spam.
Finally, here are the so far uncategorised entries from my bookmark file to do with
spam and various forms of net abuse. The best of these will be worked
into the report above as I find suitable hooks to hang them on.
Newsgroups
news:news.admin.net-abuse.misc
news:news.admin.net-abuse.email
news:news.admin.net-abuse.usenet
news:alt.spam
news:alt.stop.spamming