This post focuses on the S-word. SPAM.
How can ISPs & Web Hosts stop spam? How can we fight back? What tools can we use to fight back? What methods can be used on the server-level to protect end-user inboxes?
There are some things in life that just make me smile:
- Ice cream
- Watching Borat sing “Everybody dancing now”
- Brokeback Mountain becomes Spongebob brokeback
But this makes me smile from ear to ear:
Earthlink awarded $11Million from Spammer
Spam is a problem that is plaguing not only end-users but web hosts, ISPs, backbone providers and network administrators as well.
While the CAN-SPAM legislation is weak, it provides an essential first-step towards setting up the battle in the legal arena to fight spam. Making it illegal to forge headers and return addresses provides companies with a legal basis for prosecuting spammers in the United States. Obviously more needs to be done, but the CAN-SPAM act is better than nothing.
It is obviously every good netizen’s (net citizen?) dream to eliminate SPAM. SPAM has turned one of the quickest and far-impacting methods of communication into a daily hassle and waste of time.
SPAM is damaging the internet community in many ways. A few of the main problems caused by spam:
- End user frustration. End-users are frustrated by the amount of SPAM in their inbox and eventually, instead of experiencing a life-changing method of communicating with relatives in another country or engaging in commerce, end-users are forced to sift through myriads of messages to weed out the ones that they want to read. In extreme cases, this deluge of spam may even cause light-weight users to simply stop using E-mail.
- Hijacked computers. A large portion of bulk email is sent from hijacked and compromised computers. While there are many spammers who rent their own servers, there are networks of hijacked PCs which are sold in blocks of thousands for use by spammers. Ignoring the fact that such behavior is illegal, anyone who has used or tried to disinfect a hijacked PC knows that they often slow to a crawl, crash or they consume an entire house-holds worth of bandwidth which will result in degraded performance of other computers. Just like the point above, this frustration will lead many users to abandon use of their computers or waste money on having their computers repaired.
- Lost emails. A direct result of SPAM is the loss of legitimate and valuable emails.
- Accidental Deletion. Legitimate emails are often lost in the process of a user repeatedly clicking ‘Delete’ while clearing their Inbox of SPAM.
- Spam Filters. To combat SPAM, many E-mail service providers filter incoming email for SPAM & Virii. It is unrealistic to believe that SPAM filters will never accidentally tag a legitimate email as spam. When this happens, either the email will be discarded by the E-mail providers servers or the message will wind up in the Spam-folder where it may get discarded before the end-user can review it and realize that it was not spam.
- Wasted time & productivity. According to a Linux News article, Spam costs $20Billion – yes billion – each year in lost productivity and that spam costs enterprises between $600 and $1,000 each year for every user.
- ISP, Backbone, Network Administrator & Servers effects. Unquestionably, SPAM has caused a huge headache for network operators of all types. Throughout the internet chain, from the Email service provider to the backbone providers SPAM is costly.
- Web Hosting providers & E-mail service providers are forced to setup spam & virus filtering systems to protect their end-users. For large web hosting companies, ISPs and enterprises this means the additional overhead of purchasing dozens, hundreds or even thousands of spam scanning servers as well as the additional overhead & staff time of managing all these systems.
- ISPs (ie residential DSL/Cable modem providers as well as enterprise connectivity providers) and network backbone operators are forced to expand their network to carry the new deluge of spam & virii. Hijacked computers can easily send out thousands or tens of thousands of SPAM/Virii emails each day. Having to deal with this extra (unwanted) network traffic, ISPs will raise their rates – because even if you are not using your internet connection, your hijacked computer sure is.
- System / Network Administrators. In addition to end-user or employee assistance, help desks & system administrators now have to worry about finding infect computers, cleaning infected computers and educating end users about safe computer practices. It takes valuable time for a network administrator to locate infected machines (most often because of inadequate logging or firewall policies).
- Web Hosting Companies. Insecure sendmail scripts are now exploited thousands of times on a daily basis to send spam. Often times this results from customers running an old version of a publicly available PHP or Perl script. What is alarming is that spammers are now starting to exploit custom written mailing scripts – using search engines to find email forms and then testing them each individually for vulnerabilities. This shows extreme dedication on the part of the spammers – they are testing custom written, unknown scripts form vulnerabilities and exploiting them. It has now become the web hosts job to location insecure scripts and notify customers. Large-scale exploitation of insecure scripts can endanger a web hosts standing with ISPs or even get their email servers listed on public black lists such as SPEWS or SORBS – resulting in a portion of the internet not accepting email from customers on those servers.
A real life analysis
The above graphic is an image of data collected from just one in-bound spam filtering server that we run for our web hosting customers. This one server was processing over 100,000 spam emails per day at its peak. Spam is not a minor issue for ISPs, email service providers or web hosts – the infrastructure required to support the weeding out of spam and viruses is expensive and time consuming to operate/update.
Later on in this post I will go into detail about how we cut down the amount of spam that our servers had to process by checking a connecting computers IP address before accepting email from them.
There are many ways that we can fight back against the spammers.
- End User Education. There would be no spam if end-users didn’t actually open them or respond to them. The economics of running spam networks and operations require that at-least a small portion of the spam recipients act on or open spam emails.
Network administrators and computer-savvy ‘nerds’ must start to educate the end users as to the danger of clicking on unknown popups, downloading unknown files and not updating their computer because these direct actions result in the compromising of their computers. A single click by an uneducated end user can cause havoc for system and network operators. End-users must also be taught never to reply to spam – replying will only let them validate your email address. It is also important to note that simply by opening a spam email, spammers can validate your address. Spammers will often place unique hidden (or visible) images or code in emails that will identify you as having seen the images or run the code. [tip: set your email reader not to show images in emails unless you specifically allow it.]
- Spam Filtering. Email providers and web hosts are increasingly successful at filtering spam from ever reaching their end-users inboxes. Personally, I’ve seen the results of AOL’s spam filtering and I’m very impressed. Probably one or two junk emails will get through each day – for someone who checks their email once a month, that could mean 30-60 junk emails – and that would be terrible.
Email service providers are becoming increasingly efficient at keeping spam out of their end-users inboxes. Software such as SpamAsassin can be run server-wide and help filter out unwanted emails. DNS Black lists such as Sorbs, SpamCop and spamhaus can help your server to filter out connections from unwanted IP addresses (computers which are hijacked, vulnerable etc). The problem with these methods for combating spam is simply that it requires more cpu & processing power. Checking black lists and running SpamAssassin or ClamAV (free Linux virus scanner) requires a large amount of resources, which cost money.
A powerful & effective spam & virus Protection system can be built at the Web Host / E-Mail provider level with free software. Incoming email servers should always run a combination of:
- DNS Black list checks – SpamCop(.net), Sorbs(.net) etc.
- SpamAssassin(.org) Spam-filter
- ClamAV(.net) Virus Scanner
If you look at Figure 1. (above), you can see that when Elite Hosts started to implement RBL (real time block lists – aka DNS Block lists, a few examples given above), the amount of spam that just one of our many incoming email servers processed fell from around 60,000 messages per day to around 2,000 messages per day! If that is just from one server, imagine how much processing power we saved across all of our incoming email servers.
Another 3 useful, but lesser used technique for combating spam on the server-level are:
- Require reverse DNS Requiring connecting machines to have reverse DNS will allow you to easily identify connecting servers. You can then use these results to block certain domains from sending to your email servers. For example, with the exception of their email servers, we block connection attempts from any computer with a hostname ending in comcast.net that is not a static email server. Figure 1 (above) shows that requiring reverse DNS reduced the spam messages per day processed on one server from around 2,000 to 1,000
- Sender Call-Back. This is one anti-spam mechanism that is used by CPANEL. The mail server will connect to the email server of the domain in the From: address and check whether or not the sending address is a valid email address. This can help to filter out spam from those spammers who are just too lazy (or dumb?) to send you email from non-existent email addresses or domains.
- SPF. This is controversial technique for verifying the sender of an email. SPF has become controversial because it uses the DNS TXT record of a domain to specify valid servers which are allowed to send email for a domain. In my opinion, loss of the (rarely used) TXT record is a good exchange for the benefits. SPF is more of an anti-fishing tool than an anti-spam tool. SPF simply looks up the domain of the sender and verifies that emails are coming from an accepted server. This means that if you receive an email from firstname.lastname@example.org, an SPF capable email server will ask PayPal if the computer sending spam is in-fact a valid email server that is allowed to send email from the domain. The thought behind SPF is excellent – verifying that connecting servers are sending email from domains that they are responsible for – however some argue about the implementation and the use of the TXT record.
Bottom Line: If SPF stops phishing attacks from reaching end users (which it does!), then it is a step in the right direction. This will not eliminate spam, but at-least it will protect uneducated users from replying to email@example.com with their PayPal passwords.In order for SPF to be really effective, it needs to see more wide-spread usage – major companies (AOL, eBay, PayPal) already publish SPF records, but email servers need to start checking those records.
The Future of Spam
Spammers are not stupid. Like many other things in life, Spammers will adapt and change with the times.
Spammers are not oblivious to spam filters – to the contrary, spammers will work day & night to craft email messages that receive low scores on spam filtering systems. Spammers are increasingly shifting to image-based spams so that Spam-Filtering software can’t find the key words and phrases that it needs to tag the messages as spam.
Anti-Spam companies are also fighting back – working to develop software that will recognize spam text in image-based spam emails and other advanced modules to help stay in-step with the spammers.
Spammers are also diversifying, experimenting with new mediums such as Instant Messages and Blogs. I have yet to receive an IM Spam (I hope that this doesn’t Jinx it), but I can imagine how upset I will feel when my private IM space is invaded by a new IM window from a spammer. Spammers are also moving to blogs, forums & community systems. Spammers are creating automatic scripts that post their customers products URLs in blog comments, forum posts and more. Just like the email anti-spam companies are fighting back, these communities are coming up with methods to block this automated spam – image captchas, audio passwords and other interesting methods.
Conclusion & Summary
Unfortunately, it looks like spam is here to stay – wasting our valuable time, money and resources. There are many things that we can do to retake our inboxes and put spammers out of business:
- Better end-user education
- Better legislation to prosecute spammers
- Better programmer education – teaching programmers how to write secure scripts that send email
- Residential & Small Business ISPs should block outbound SMTP port 25 by default (with the option to enable it upon request)
- Microsoft, the provider of over 95% of the worlds desktop system, has to have stronger security built into their products. How is it acceptable that 1 click can cause a program to download an take over your computer? How is it acceptable that an un-updated Windows installation can be compromised within minutes of being connected to the internet? It is excellent that Microsoft has now decided to focus on security, but it might be too late. For the last few years, Microsoft has been handing their customer’s computers to hackers.
- Web Hosts & Email service providers should install spam scanning software, use spam black lists, check for phishing via SPF & implement other common-sense methods for reducing spam, fishing & virus attacks. If web hosting companies & email providers could stop spam from being delivered to their end-users, spammers would make no money and simply disappear.
Hopefully we can take back the Internet and provide an amazing, worry-free & frustration-free experience for our end-users.