Spam: You just can't win

This was originally posted at ZDNet's Between the Lines.

For anyone even slightly optimistic about thwarting the never-ending crush of spam I have two words: don't bother.

At the Information Security Best Practices conference at Wharton School of the University of Pennsylvania, I've learned the following from the first panel.

Comcast's Gerard Lewis, senior counsel and chief privacy officer, noted that the Can-Spam act of 2003 "hasn't done anything to curb spam," but is "a well intentioned law." Indeed, almost all e-mail is classified as spam.

Lewis should know since Comcast moves millions of e-mails a day--450 million on average to be exact. Lewis walked through the evolution of spam and how defenses have moved from generic filtering to a more sophisticated model. The rub: the fancy stuff doesn't work too well either.

Lewis said that giving consumers more control and tools to prevent spam helps a bit. But plenty still fall for social engineering tricks.

What's the solution?

I haven't heard one yet. Chris Marsden, a professor at the University of Essex, said there are a bevy of regulation schemes being cooked up across the pond. But it didn't sound like there were any spam killers coming from the UK.

Marsden said ISPs will likely see more regulation, but giving consumers more tools isn't the answer per se.

"ISPs have made it clear that consumers will not implement filters," said Marsden. Australia has even sent CDs to citizens to prod them to implement filters. One outcome may be required filtering for spam and content on all PCs as a regulatory requirement.

Think of these efforts as mandatory seat belt laws for Web surfing.

Update: In a follow-up conversation, Lewis said the biggest issue with laws like Can-Spam is that it doesn't reach overseas where a huge chunk of the spam originates. Carol DiBattiste, senior vice president of privacy, security, compliance and government affairs at Lexis-Nexis, spoke about a different topic, but the solution sounds a lot like what the folks in Talkbacks to this post are seeing. Lexis-Nexis as part of its security policy blocks international IP addresses.

[mmichaels]

"One outcome may be required filtering for spam and content on all PCs as a regulatory requirement. "

Solve one "well intentioned law" with another "well intentioned law". I get it.

[rapier1]

Part of the problem comes in where a person thinks spam should be controlled; The source, the center, or the user. Controlling it at the source is probably the most effective target but it's also the most difficult to reach. Controlling it at the user is relatively easy but wide spread adoption is difficult. Controlling it in the center (the ISPs) is probably the easiest to implement and can be moderately effective but rife with problems (how do you handle Ham (good email identified as spam), what privacy implications does this have, how do you support the infrastructure). Controlling it at the end user or the center doesn't really do much to deal with the infrastructure burden unless you push it to outbound mail as close to the spammers as possible. Its just a really difficult problem over all.

Personally, I deal with it by using a set of filters. 1st I have an adaptive filter take care of most of the spam. Anything that gets through that is compared against a list of known good addresses. If its coming from someone I've previously gotten 'good' email from or from someone I've sent mail to then its passed into a 'Good' Inbox. If not its shunted to an 'Unclassified' inbox. I pay attention to the Good inbox and once a day or so I go through the unclassified mail to sort out the spam and add good email to the known addresses list. So far it works pretty well - i usually only see 1 piece of spam in my Good inbox a week. It takes a fair bit of work though.

[retired_afmil]

Couple years ago there was a program/company called blue frog that was teaching spammers a lesson, but they had to close down because spammers overloaded the ISPs that supported them. They would fire back to inform the spammers to remove you from their listings. (with many requests overload the spammers) It depended on members (free) to report to them spammers. It was working and hurting them. However the ISPs caved in so they went out of business. Maybe the Government if they were serious would copy that model

[hunkyboi69]

Spam has changed though unfortunately, which is why that method no longer works.

Most spam these days is sent from compromised computers and with forged email headers, so bouncing the spam back would not harm the spammers in any way as it would never get anywhere near them.

That is why it is recommended that you don't bounce spam with your mailserver, you simply reject it with a 5xx code which does not generate a bounce to an innocent domain.

Theres a lot of interesting articles on 'backscatter' on the internet.

As regards spam, I rarely get any these days because I use Greylisting and Spamassassin to get anything that gets through the greylisting. Rarely I will get one or 2, but the majority of the time they don't even get through the greylisting.
The only drawback of greylisting is that legit emails are delayed as well, but a decent implementation will remember the ip, from and to addresses of legitimate senders for some time and subsequent emails will not be greylisted.

[Grumpypaul]

As long as there are people who want to believe fantastic claims, there will be spammers. True, there are legitimate looking spams around, but the vast majority of the ones I see are unbelievable. Claims of super sexual prowess, claims of millions of dollars available for free, claims of free gifts for doing nothing. And if you factor in the eternal forwarding that so many emailers do of inaccurate or outright false statements, comments, "news" items, then I can see how 99% of all email is spam.

Snopes proves out the proliferation of many of them.

[pentest]

Getting people to act intelligently is harder than keeping your own email account clear of spam<see below for examples>

[ErnieTheBear]

I've been wondering, how much spam/virus/phising could be eliminated if ISP's routinely blocked all outgoing e-mail traffic originating from anything in their IP address block, unless the owner/user has specifically requested them to all it? If you're running a legitimate and intentional e-mail server from your home, you have to ask them for it. That's not onerous, is it? Even if Joe Sixpack manages to download a spam-bot, it's useless, no matter how many times the C&C is contacted and changed. No outbound mail traffic. Period.

[buddyfarr]

only problem is that Comcast is doing this and will NOT allow my father's business to send out email even though we have requested it. Blocking all and not allowing for any reason is just crap.

[Old Man1]

The scourge of spam can be controlled by the end user. I have been (almost) spam free for 12 years. I say almost because a well-meaning friend cc'd instead of bcc'd me on a law enforcement sting to a spammer a couple of years ago. Within 1 month I was receiving 10 a day. Quite a jump from nothing in 8 years. Result, I changed my email address and am again spam free, despite having more than 10 email addresses between work and personal. (Disclosure; I am a contract Sys Admin for a couple of different companies, hence multiple addresses).
You too can be spam free with a few simple processes, and some time to work with more than one email address.
1. Create two or three new email addresses. They?re plentiful at free services like Yahoo, Google, etc. Just make sure you opt out of all their ?default? emailing options (periodically review their policies to make sure they don?t change anything though?.)
2. Give one of these new addresses ONLY to your family/friends/close business contacts. With that giving, instruct them to never bother sending any ecards, or to never send you anything via a ?send this to a friend? button. I don't KNOW this, but logic indicates that by someone sending and you retrieving an ecard or ?send this to a friend? message, you validate both sending and receiving addresses, which can then be sold (my guess is that's how these companies make their money).
3. When anyone else requests an email address, either give them a totally bogus one (xyz@zyx.com, or some such), or if they require validation of a real address, give them your second one. Respond to the validation request, then summarily ignore anything else in that box. The email address for my OldMan1 moniker is one such as this. It is valid, but I completely empty it monthly without so much as opening anything in it unless I have to repeat the process earlier in this step.
4. For companies that you subscribe to mailings from, give them either your third (if you created one), or your first address, but check their privacy policies and opt-out of every data-sharing option and mailing they list (unless you want it).
That?s it. Using these simple procedures, you too can be spam free. Out of all my accounts, the ONLY one that receives spam is the one I set up specifically to receive it, and by careful adherence to these practices over the last 12 years, my spam count is less than 5 a week , with no extra filtering anywhere in the process. Before I came up with, and implemented, these ideas all those years ago, I was receiving almost 100/day.

[pentest]

The solution is simple. On my mail server, I run no spam software, no white or blacklists and I get approximately 1 spam email per day.

It is not hard to do. Create a free account somewhere, since most spam originates at Hotmail, you should use this so you can give it back to MS. Use that account name when you need to create accounts. Whenever I create a new Hotmail account, I monitor it for a day or two and by then has hundreds of pieces of spam.

[janarmstrong_dotmac]

The only answer, Change your e-mail address every year.

[buddyfarr]

yeah, that works great in a business environment....