Date: Fri, 26 Apr 2002 07:38:48 -0400 (EDT) From: BCPL.NET SysAdmin To: BCPL.NET News Subject: BCPL.NET NEWS: Unsolicited E-Mail (Spam) ----------------------------------------------------- DEALING WITH UNSOLICITED COMMERCIAL E-MAIL, OR "SPAM" ----------------------------------------------------- This is in response to an increasing number of complaints from BCPL.NET customers and BCPL staff about unsolicited e-mail, commonly called "spam". The following is the text of a "canned answer" we have been sending out in response to individual queries. It's rather long, but we encourage you to read it if you're concerned about spam. Spam, or "UCE" (unsolicited commercial e-mail), is an increasingly serious problem all over the Internet. Some of our customers receive no spam at all, while others receive a lot. We do not provide our customer list to anyone for any purpose, but there are many other ways your address can end up on a spammer's mailing list. Spammers tend to exchange lists, so once you are on one spammer's list you are sure to wind up on others. How your specific address got onto a spammer's list in the first place is impossible to pin down exactly. Spammers gather addresses in many ways, but the most common are by monitoring newsgroups and legitimate mailing lists. There is in fact specialized software designed for spammers that can extract e-mail addresses from newsgroup postings and mailing list messages. Spammers also use "spider" software to scan huge numbers of Web pages for e-mail addresses, so if your address is on a Web page, it will very likely be "harvested" by one or more spammers. Finally, some unscrupulous Web-based businesses regularly provide their customer lists to people who do mass e-mail advertising. If you have ever done a business transaction on the Web that required your e-mail address, this may have resulted in some spammer getting hold of the address. Stopping spam is a major concern to all ISPs, including BCPL.NET, but currently there is little that can be done. There is no simple way to block all spam at the mail server level, because there is no uniform characteristic of spam that the server can look for. We do block mail from known "spam domains", Internet sites that exist solely for the distribution of junk e-mail. However these days the majority of spam is not sent from such sites. Instead, the spammers use ordinary dialup accounts through local ISPs, just like your dialup account with BCPL.NET. When a spammer gets caught and his ISP terminates the account, the spammer just moves on to another account with another ISP. I've read that the average spammer changes ISPs on average about once a month, sometimes more frequently. Because of this, blocking spam based on where it was sent from is almost totally ineffective. For obvious reasons we can't block mail from each of those ISPs just because one of their customers sent spam. If we do that, eventually mail would be blocked from virtually everywhere. The other type of blocking, called "filtering", is intended to block spam based on content, after it reaches our mail server but before it is delivered to the customer's mailbox. Unfortunately there is no uniform "tag" or other characteristic common to all spam. From the mail server's perspective it looks just like legitimate e-mail. Therefore spam filtering has to be based on message content. Special add-on filtering software working with the server software examines every message, looking for key words that are typically found in spam. At first glance this would seem to be an ideal way to deal with spam, but it has two very serious drawbacks. First, it can't possibly block all spam. Some will still slip through. In fact, reports from sites that do use filtering report that most spam still slips through. This is because if the filters are set up stringently enough to block most spam, they also block large amounts of legitimate e-mail along with the spam. Foe example, if we were to filter out e-mail containing the word "sex", the filter would also stop all e-mail mentioning the Essex Library, and all non-spam and non-pornographic e-mail containing the word "sex". If the filtering is set up laxly enough to minimize the blocking of legitimate e-mail, it will continue to let most spam slip through too. It's a lose/lose situation. Second, this type of filtering is *very* CPU intensive. Every word in every incoming e-mail has to be examined and compared against the database of "forbidden" words. This is practical on a low-volume mail server, but on a high-volume mail server such as ours, which handles 70,000 - 100,000 messages per day, it isn't very practical. Our mail server runs on a fairly high-powered UNIX computer, but if we were to do spam filtering it would bog down to the point where mail delivery would be unacceptably slow. A new mail server with enough power to handle filtering for that volume of messages would cost well over $100,000. We can't afford that unless we raise our price *very* considerably. Therefore one of the tradeoffs of our low price ($120 per year) is that we don't do filtering. In fact, you'll find that even most ISPs who charge considerably higher rates do not try to filter out spam. It just isn't practical or cost effective. There are several defenses the individual customer can use: 1) Use a mail program that allows filtering. Although filtering at the server level isn't practical for the reasons discussed above, filtering within your own mail program may be a viable alternative because it is completely within your control. All current versions of the most popular PC and Macintosh based mail programs (Eudora, Netscape, Outlook, Outlook Express, Entourage, etc.) have filtering capability. Consult the written or online Help documentation for your specific mail program. One approach is to set up your filters to accept mail only from addresses you consider "friendly", i.e. from e-mail addresses that are known to you. This will certainly stop spam, but unfortunately it also has the potential to stop a lot of legitimate e-mail as well. I don't consider it a good solution, but many people do it. A less stringent but more labor-intensive approach is to create filters that will block e-mail containing specific words. For example, if your primary concern is spam with pornographic content, then set up a filter to block e-mail containing words you consider to be objectionable. A "forbidden words list" intended to block normal non-pornographic spam (commercial ads, for example) is less straightforward because the words in such e-mail are not any different from the words you might find in legitimate e-mail. Please note that Pine and WebMail, both of which are used by many BCPL.NET customers and BCPL staff, do not have filtering capability. In order to filter you will have to use an e-mail program like Outlook Express, Eudora, or Netscape Mail installed on your own computer. 2) Figure out where the spam originated from, and complain to the "abuse" and "postmaster" addresses at that domain. Almost all ISPs now have "abuse" addresses specifically for that purpose. If you identify the origin as erols.com, for example, address your complaint to "abuse@erols.com". Unfortunately, this isn't as straightforward as it might seem. The address on the "From:" line of spam is almost never where it really came from, because almost all spam shows a fake address on the "From:" line. If you receive spam that shows "jdoe@erols.com" on the "From:" line, and if you complain to "abuse@erols.com", there is an almost 100% probability that you have complained to the wrong place. Figuring out the true origin of spam can be a hassle, but it is essential in order to know where to complain. To determine the true origin you have to examine the "Received:" lines in the full message header. Most mail programs don't normally show you the full header. You have to turn on full header display, usually in the configuration or in one of the menus. For specific instructions on how to view full headers in many different E-mail programs please go to: http://www.wurd.com/eng/ABCs/spamfight.htm Even with the full header in front of you, it can still be pretty tough for the layman to determine the origin. This is because most mass mail software adds one or more bogus "Received" lines and other bogus information to throw you off track. Even if you are able to figure out which "Received:" lines are legitimate, you then need to do some research (typically a "whois" lookup in the ARIN database at www.arin.net) to figure out where to send your complaint. This is time-consuming, so we don't recommend it unless you are *very* serious about taking action against spammers. We hope to create a Web page on the BCPL.NET Web site explaining how to do this, but in the mean time you might take a look at the following on the Web: "Figuring Out Fake E-mail & News Posts" (AKA "The Spam FAQ") Includes links to many Web sites with useful info about spam. http://www.faqs.org/faqs/net-abuse-faq/spam-faq/ Where to Complain About Frauds & Scams: http://www.elsop.com/wrc/complain.htm General information about spam: http://spam.abuse.net/spam/ http://spam.abuse.net/spam/userhelp/ 3) In the final analysis, your best line of defense is the "Delete" function in your mail program. I know it's annoying to receive spam, but it takes only a moment to delete it. For most users this remains the most effective way to deal with spam. Finally, here are a few things you should *not* do in an attempt to fight spam: Do not reply to spam -------------------- Spam e-mail often contains the message "To remove yourself from this list, reply with REMOVE in the subject line" (or words to that effect). DO NOT reply to any spam, UCE, or electronic chain letter. As explained above, the address on the "From:" line is probably phony. This means your "Remove" request won't go anywhere at all. In the few cases where the "From:" address really is the spammer's address, there is increasing evidence that replying simply verifies to the spammer that he/she has your correct address. This will just result in more spam being sent to your address, not less. Some spam e-mail may direct you to fill out a form at a specific Web site to have yourself removed from the spammer's mailing list. While some of these may be legitimate, there is increasing evidence that most are merely mechanisms used by spammers to collect addresses for their mailing lists. Do not attempt to take retaliatory measures -------------------------------------------- Do not attempt to fight back by directing mailbombs or other retaliatory measures at a spammer's apparent e-mail address. Remember, the address on the "From:" line is probably forged, so your retaliation will most likely be misdirected. In addition to wasting your time, you may clog some innocent person's mailbox with your mail, and/or you may clog up BCPL.NET's mail system with mail delivery error reports, and/or your misguided retaliation may result in mail from BCPL.NET being banned from other sites out on the Internet. Mailbombs and similar measures are considered "denial of service" attacks, and are a very serious offense. Any BCPL.NET customer caught mailbombing another site, no matter what the motivation or provocation, will have his/her account terminated immediately. -- BCPL.NET INTERNET SERVICES 320 York Road Towson, MD 21204-5179 U.S.A. CONTACTS: -------- Web Site: http://www.bcpl.net Administration & Policy: ispadmin@bcpl.net 410-887-6180 Sales, Renewals, Account Status: accounts@bcpl.net 410-887-4172 Technical Support (Help Desk): help@bcpl.net 410-887-3297 Usenet News Newsgroup Requests news-admin@bcpl.net 410-887-6180 E-Mail & Newsgroup Abuse Reports: abuse@bcpl.net 410-887-6180 Domain Name Service Issues: dnsadmin@bcpl.net 410-887-6180 FAX: 410-887-2091