Skip to main content
Skip to navigation

Under Construction

Fight Spam

The following is a condensed overview of the who, what and where of junk E-mail, or more notably known as Spam. Some information was derived from a great article named Stop Spam Dead in the January 2003, Vol8, No 1 issue of MaximumPC. You can purchase this issue at Barnes-n-Noble in the Columbia Mall for a limited time. Other sources for more information are listed at the end of the article.

You can find out more information about Spam at the following sites:
www.aboutspam.com
www.arachnoid.com
www.cauce.org
about.com
Spam Irony

StaySafeOnline.org

What is Spam?

“Although known as ‘the other Pink meat’ to most, in computing terms ‘Spam’ is a label for unsolicited E-mail received by a given account.  At best such ‘junk mail’ is as tasteless as the food product it derives its name from, but more often than not, it is far worse.  The hallmark of Spam is to force feed information on particular products and/or services to as many potential consumers as cheaply as possible.  In recent years though, other, more devious, themes arrive in the guise of Spam such as Viruses and Hacking.”

- Maximum PC Jan. 2003 Vol8 Iss1

How does Spam find you?

Unfortunately there are more simple methods and utilities for your E-mail to be targeted for Spam then there are for blocking it.  Most, however, can be boiled into one of the following summaries:

  • A purchase or inquiry for information is made where you are asked for and give your E-mail address. Examples: filling out a form for a Drug company web site, a sweepstakes form at the mall or contact info for a questionnaire/survey.
  • During or after installing a piece of software you are asked to register it, including giving your E-mail address.
  • A virus, such as the infamous Klez, infects a computer that has your E-mail address in a common area such as a contact listing, saved mail, etc. in which it uses to attempt to spread itself.
  • A devious yet resourceful spammer creates an automated method of sending Spam to an entire domain (e.g. missouri.edu) by generating common id’s.  For example, student accounts are always 6 char. alpha-numeric strings, like smd85f or fsc857. All the spammer has to do is generate a list based off this rule, tack on @mizzou.edu and can end up with 6 ^ 6 possible E-mail addresses.
  • An unethical company chooses to sell a listing of their clients contact information to a third party.

Behind the Scenes

  • Server side Anti-Spam software  DoIT uses a software solution that acts as both Anti-Virus and limited Anti-Spam server-side solution.  They are currently looking into additional Anti-Spam software, but volume pricing, server load and complexity in configuration/maintenance has held back any final solution. That being said, the Exchange Administration is working closing with the Security group to actively track down and block those ISP’s where gross violations of Spam originate.
  • Anti-Spam Hardware Additionally DoIT is putting dedicated hardware (an appliance) inline to our network that identifies E-mail traffic and filters out known Spam.
  • Meaningful legislation to fight Spammers  This is a touchy subject, but one that is going to have to be dealt with.  The concern is the vital line between freedom of speech vs. infringement of privacy and waste of private resources.  Several states have taken stabs at Anti-Spam legislation, but so far most are ripe with loopholes so that only those instances where copy-right infringement occurred have been successfully prosecuted.

What can you do about Spam?

There is no way to 100% protect yourself but, there are several steps you can take ranging from common sense methodologies to complex, expensive software.  As with anything, you must make the call to how much effort to put towards it vs. how annoying Spam is to you.  The following are some solutions to help you fight Spam:

Click each header to jump down to the section with more detail information.

  • Rules of Thumb
      •  
    • Treat your main E-mail address like your Social Security Number.
      •  
    • Delete unknown E-mail.
      •  
    • DO NOT click the “Remove me from this mailing list” link at the bottom of a Spam message!
      •  
    • Do not send and discourage friends/family from sending electronic “Greeting Cards”
      •  
    • Do not buy products or services from a Spam message.
      •  
    • When sending to many users, put all but 1 address in the BCC (Blind Carbon Copy) field (at least 1 must be in the TO field).This way the recipient will only see the 1 from and not all the other E-mails.  When they forward, those other E-mail addresses will not be available for a compromised system or E-mail sniffing app to pry all the other addresses from in which to SPAM. This is more of a helper to those you are sending your E-mail to rather than yours specifically, but if everyone did, it would help all!

  • Taking Action

    • Maintain two or more E-mail accounts.
    • Send the Federal Trade Commission (FTC) your Spam.
    • Report particularly offensive/unethical or illegal Spam to the University Abuse group.
    • Report Spoof Victims.
    • Run and keep up-to-date Anti-Virus Software
  • Getting Serious
  • Behind the Scenes
    • Server side Anti-Spam software. see GreyList and SPF Registration in the September 2005 news
    • Meaningful legislation to fight Spammers.

Rules of Thumb

                 
  • Treat your main E-mail address like your Social Security Number.  Give it out ONLY when you absolutely must and only to trusted friends, relatives and colleagues.  Never use your E-mail address to register for a product, contest or any sort of non-critical function.  If you feel you must give your E-mail address, pay close attention to any radio button or checkbox where it indicates not to include you on a promotional list.  Many times you forget something or otherwise need to make a change, either click the back button or a provided ‘edit’ button and the radio button is automatically reset to the “Send Me Spam” setting. You can usually trust large, high-profile companies such as Microsoft, Adobe, Apple, Symantec, etc. as it would be a scandal if they were ever caught giving out your registration data, but there is always a risk.
  • Delete unknown E-mail. Never open an E-mail in which you do not know who the sender is or, even if you do know the sender, cannot make sense of the subject line.  Delete the message immediately or at the least, save the message as a .txt file on your computer and use Notepad or other text editor to view it.  Worse case scenario, if you find out you did need it, simply contact the sender and ask them to re-send it to you.  HTML E-mails are viewed just like a web page and thus, can run scripts, redirect you or intuitively send a message back to the spammer indicating that your E-mail address is active.  If you run Outlook, it is wise to disable the “Preview Pane” as it opens a message automatically in a “half-pane” when it is highlighted.  To turn it off, simply click View | Preview Pain and/or AutoPreview depending on your version of Outlook. Unfortunately other programs like Outlook Express, Netscape Messenger and earlier versions of Eudora do not let you disable this feature.  It is recommended that you upgrade or change E-mail programs.
  • DO NOT click the “Remove me from this mailing list” link at the bottom of a Spam message!  While there is a chance that this will in fact remove you from the spammers list, more often than not, it simply informs the spammer that your account is active and declare open season on the account.
  • Do not send and discourage friends/family from sending electronic “Greeting Cards”.  They can be quite cute, but usually the accounts used end-up in a Spammers Easter basket!
  • Do not buy products or services from a Spam message.  Even if it is exactly what you are looking for, if you did not ask to receive the information in an E-mail it is Spam.  As such, clicking on the link or worse, purchasing the product from the information in the message, only justifies the party that sent the Spam to keep on using Spam as a method of advertisement and promotion.


Taking Action

  • Maintain two or more E-mail accounts.  Hotmail, Yahoo and Juno all offer free E-mail accounts.  I have a few of these in which I use when I have to enter a valid E-mail address to access a resource.  (i.e. before I can post a question on a web site, download cool utilities or get a valid serial number; I have to give a valid E-mail address, wait for that account to receive a confirmation E-mail, reply to it or get the password they send).  I usually only access such an account 2-3 times a month, take roughly 5 min to scan anything that may be useful and mass delete everything else.  Granted this can be a pain, but it can dramatically cut down on Spam.
  • Send the Federal Trade Commission (FTC) your Spam. uce@ftc.gov wants your Spam. Not only do they try to attack the heaviest offenders, but they share their analyzed data with Anti-Spam groups, both commercial and not to build a list of offenders which is used by E-mail Server Administrators (like our Exchange Group) to help block Spam.
  • Report particularly offensive/unethinical or illegal Spam to the University Abuse group. abuse@missouri.edu is monitored by the security group here on campus.  They can analyze Spam messages to try to find the offending party or the offending parties ISP to try and stop them.  Do use common sense though and do not inundate the security group with repeated or large volumes of spam.  Send only messages that seriously could cause harm, are repeating to a large extent or are blatantly illegal. Be sure to include the E-mail header when you report it: Public:Retrieving Email Headers - Outlook
  • Report Spoof Victims. Unfortunately, one of the greatest problems with Spam is that the spammer can “spoof” or otherwise fake the “From” lines of a message to get you to open it.  If you notice a valid company or users whose account is being used (a.k.a. Hijacked) as a ‘spoofed from’ account, let them know.  The most notable instance of this was Flowers.com who has been very successful in tracking down and prosecuting spammers.  Many companies have an Abuse E-mail address just like the Universities listed on their web site just for such notifications.
  • Run and keep up-to-date Anti-Virus Software  I would estimate roughly a quarter of the Spam seen on campus is generated by virus infected computers.  The Klez, Nimda and other Melissa variant viruses are notorious for trying to propagate themselves through E-mail.  Do your part by making sure your system’s AV software is up-to-date on a regular basis.

Getting Serious

  • Create a Blacklist for known Spammers.  If you are lucky, most of your Spam comes from the same domain. The domain is the part of the E-mail after the ‘@’ (at) symbol.  Many newer versions of E-mail applications such as Outlook, allow you to build rules/filters to auto-block/delete E-mails from a given domain.  You can also build a Black list of key words or phrases in subject lines to help ‘auto-clean’ your mailbox. Most current E-mail programs have the ability, some more feature-rich than others, to setup filters of some type. There is a brief walk through on Creating filters and Enabling the Junk Mail option in Outlook on the DCRC Tutorials page.
  • Create a Whitelist for legitimate domains.  This is opposite and much more difficult than a Blacklist. With a Whitelist you create rules/filters which specify addresses and/or domains you do not want to be deleted.  Anything other than what is on the list is auto-deleted.  This has the obvious drawback of auto-deleting messages from valid sources that you haven’t yet added to your list.  However, if you are having an extreme problem with high volumes of Spam, this may be the method for you. A less drastic idea is to have the rule/filter move a message not on the Whitelist into a designated folder called Suspicious or Spam in which you can sort through every so often to see if there is anything of importance, otherwise you can mass delete it.
      •  
    • Note: Black/White-listing can initially be a full time job.  It takes a while to figure out the best key words, phrases and source domains to filter out.  It’s recommended that if you start this to create a ‘Spam’ folder to redirect such E-mail to rather than delete it until you’ve got a good system setup.  Otherwise you may quickly loose non-Spam E-mail and not know it until quite a bit later.  This is why Anti-Spam software is attractive and usually not free.

     

  • Acquire an Anti-Spam program for your desktop.  The company/organization that provides the software, hosts a server which they
    continually update with known Spam E-mails, gimmicks and ISP’s that promote them.  Once installed, the program routinely downloads this list from the company server and then either deletes/bounces/reports Spam E-mail you
    receive.

    update: The following utility is no longer freeware from the website and has a per monthly charge.  The ‘download SpamNet’ link listed is the old version and will work, but cannot recieve new updates.

    I’ve come across a great utility called SpamNet by Cloudmark.  Currently it is a freeware utility which is an add-on for Outlook.  It creates a directory in your mail folder called Spam.  It checks each message you receive and compares it against an updated listing of spam identifiers.  When a Spam message is found it is moved to the Spam folder for you
    to peruse or delete at your convenience. You can download SpamNet here quickly,
    save it to your desktop and double-click on the file once you are done.  It works for Windows systems only.

    More than likely SpamNet will not be free for ever and there are several established programs are subscription based so you get the latest “Spam Updates”, much like Anti-Virus programs work.  Maximum PC highly recommended one such program as MailGuardian (MailGuardian is currently $30 a year).  I’ve not had much luck in finding
    such programs for the MacOS with only 1 to show below.  If you hear of or would recommend something not listed below, please send me the info and I’ll put it up:

    Spam Inspector (Windows)

    Antispamsoftware (Windows)

    McAfee SpamKiller (Windows)

    Mailshield (Windows)

    SpamSieve (MacOS)

  • Bounce the message back.  This isn’t the easiest thing to do, but can be effective.  There’s a freeware utility called Bounce Spam Mail which will take the original message and send it back from wence it came formated to look like your account is not active.  Although sending Spam is easy, it isn’t free, especially when sending a ton of it.  If your account looks inactive
    Spammers are not going to waste resources sending to it.  Again, this isn’t super simple as you must figure out how to extract the message header and the true source address, but I’ve included it as an option for the curious.

    •  

Category:Platform Independent -> Resources

Categories:


Published by Dalton Cardiovascular Research Center, 134 Research Park Dr., Columbia, MO 65211
Phone: 573-882-7588 | Fax: 573-884-4232 | E-mail: dalton@missouri.edu

Copyright © — Curators of the University of Missouri. All rights reserved. DMCA and other copyright information.
An equal opportunity/affirmative action institution.

Last updated: Wed, September 09, 2009 - 2:16:41