ICBS, Inc., Webdesign, development, maintenance, and web hosting

ecomhelp.com home
general business articles
business marketing/promotion
Internet Business
website design
website promotion
customer service, CRM
branding
joint venture
financial management
general and inspirational
stress management
health links
inspirational articles
legal resources
non profit
Patents, trademarks, intellectual property
miscellaneous links
icbs links below
icbs.com home page
contact
feedback
icbs services
web hosting
branding
 

An Overview of Spam

1) Introduction

2) Why is it bad?

3) What to do if you get spam

4) Preventive measures for users

5) Preventive measures for Email admins

6) Conclusion

Footnotes

1) Introduction

What is spam? First of all, it is not SPAM. Please remember that SPAM, spelled with all capital letters, is a registered trademark of Hormel Foods Corporation and has absolutely nothing to do with emails. [1]

Generally, most people refer to Unsolicited Commercial Email (UCE) as spam. Paraphrasing a famous statement by a US Supreme Court Judge, "You know spam, when you see it." There lies the rub. What is spam for one person may not be spam for another. Thus if a friend of yours sends a totally idiotic email to you, it cannot be considered spam.

2) Why is it bad?

Most people do not have anything against commercial messages or ads. It is on TV, radio, newspapers etc and people generally put up with it. Ads help to reduce the cost of these channels to the public. How is UCE or spam different? Why are most people up in arms against spam?

Folks who run ads in conventional media actually pay for that privilege. Spamming on the other hand, increases costs to end users by clogging up network bandwidth, increasing storage requirements and consuming server resources. In other words, a totally disproportionate cost of spam is underwritten by end users. On top of this, users have to wade through spams to get to their actual emails.

3) What to do if you get spam

First of all, if you get a spam email and it gives some sort of instructions to get off that list, do NOT follow those directions. If you do, it is highly likely that your email id is marked as a valid one and you will get more spam. Many spams are sent to common names at various domains (dictionary attack) and replying back only confirms the validity of your email address. Apparently the street price of valid ids are considerably higher than the culled addresses that are sold in bulk.

Secondly, do NOT forward spams to your friends! It is mystifying to me that there are people who actually forward whole spam emails to me. At best, if you need help, send only the full headers of the emails to your friends.

Thirdly, if you are technical and committed, submit that spam information to various spam collection sites. Some of those sites may help in contacting the proper ISP or domain from where that spam originated. Unless you are absolutely sure of your technical abilities in reading headers, do not accuse or contact a suspected spammer directly. More often than not, "From: " addresses are spoofed.

4) Preventive measures for users

Interestingly enough, end users expose their email ids and that of their friends all the time. Let us say that you want to send the same email to Tom, Dick and Harry. Most people just put all three emails ids in the "To: " header and send it. If that messages gets forwarded to someone else (a very common occurrence), that person now knows four valid emails ids. Guess what that person is going to do, if she or he is a spammer?

Learn to use "Bcc: " header instead of "To: " header. Bcc stands for Blind Carbon Copy and most mailers support it. In the body of the email, just say something like "Hello Tom, Dick & Harry" so that they know that particular message was sent to all of them.

If you forward somebody's email, make sure that the sender's email id is not forwarded, unless there is a very specific reason for doing so. Usually it is enough to quote the sender's name.

Learn to send plain text emails [2]. This actually can make spam recognition by your friends easier, in addition to zillions of other advantages :-)

If you post messages to public lists, try to use different ids. After all, email ids from Yahoo, Netscape or other places are currently free. Thus at least your primary id will be clean and your friends can contact you on that.

Try not to use common names as email ids.

Though this does not directly apply to spam, try not to keep your email addresses in a computer address book. If your computer gets infected with a virus, many of them send themselves in the background to all email ids in an address book. Just put only the address of your secondary email id in an address book. That way, only you will get the virus mailed by your own computer! A very nice heads-up arrangement to track such viruses.

Also use other common sense stuff like not forwarding chain letters to your friends, particularly the kind that asks you to list email address of ten friends in the body of the email - how gullible can a person be? Don't fall for the old "hook, threat, request" routine.

5) Preventive measures for Email admins
(This section may be a tad technical)

First and foremost, run a server that respects Internet RFCs and is not brain dead. Something like Postfix [3] or qmail [4] comes to mind. If you are one of those persons who absolutely needs to spend money to get a MTA, donate that money to your favorite vegan or environmental non-profit group and then get Postfix or qmail ;->

Configure your DNS correctly. It is appalling to find big companies even in SF Bay Area who have misconfigured DNS entries for their email servers.

Make sure that your server is not an open relay! This is of paramount importance, as the super majority of UCEs come via open relays.

If you have a website, make sure that it does not allow programmatic transmission of emails to outside addresses. Some people copy various mail sending cgi programs to their websites, which are exploited by spammers.

Put some anti-UCE controls on your server. What and how strict you want to be will be left to your organization. There are quite a lot of broken mailers out there on the Internet. May be they feel smug because they paid good money to some company or other to get some non-RFC compliant software. Whether you accept mail from these servers is left to you. Use of RBLs can be helpful, if you agree with their policies.

For example, some other checks on my server are:

- reject unknown sender domain (if the sending domain does not even exist, there is no need to receive an email from a non-existent domain). Additionally what will you do, if that email has to be bounced?

- reject unknown client (if DNS of sending server is not set properly, external email will not be accepted on my server).

- reject non FQDN sender and recipient (obviously)

- DNS check on sending (envelope sender) domains (if an email claims to be from an AOL id, it better originate from an AOL server). Be prepared to handle valid exceptions to this from remailing services.

- Any email that claims to be from the domains hosted on my machine! (a blatant attempt at forgery)

Obviously, the above restrictions may not be suitable for some organizations. But there is no excuse in my book for being an open relay.

6) Conclusion

[ If you read till here without falling asleep, I am flabbergasted :-) Kudos to you! ]

We looked at some elementary and common sense ways of combating spam, both at the user level and admin level. Please note that if you programmatically reject some email as spam, it is always possible that some rejected email was a valid one. Put in another way, it is always possible that there are false positives in spam detection. So be very careful.

There are quite a few places to get additional information or help like CAUCE (Coalition against Unsolicited Commercial Email [5]). If you plan to get really aggressive in fighting spam, remember to stay on the right size of the law.

Other helpful suggestions are to have at least a basic understanding of the structure of an email (so that phrases like "full headers" don't leave you nonplussed). Additionally, do not allow automatic execution of programs when an email arrives.

There are some attempts to pass certain laws to limit or ban spamming. [6] So far, they have not had any effect or the laws themselves were never passed. Many spammers (and unfortunately some clueless folks) like to quote S.1618/H.R. 3888 in their disclaimer. Unfortunately nothing came out of it [7], except possibly help in recognizing spams by looking for that disclaimer :-)

In summary, learn to recognize spam and get rid of it. Make sure that your email admin has set up DNS properly and is not running an open relay (don't be part of the problem). Finally, never do business with a spammer.

Footnotes

[1] http://www.spam.com/ci/ci_in.htm

[2] http://www.expita.com/nomime.html

[3] http://www.postfix.org/

[4] http://cr.yp.to/qmail.html

[5] http://www.cauce.org/

[6] http://www.spamlaws.com/

[7] http://www.cauce.org/legislation/s1618_hr3888.shtml

Source: Mr. Das Devaraj

[ecomhelp home] [ICBS Home]


Website Developed and Hosted By:
International Cyber Business Services, Inc.
Developers of holisticonline.com, 1stHolistic.com, and specialgifts.com
Copyright © 1996-2007, ICBS, Inc. All Rights Reserved.