ModemJunkie

Reflections of a ModemJunkie

May, 1998

Spam, Spam,Spam,Spam,Spam

by Leonard Grossman

Just as the strength of the Internet is chaos, so the strength of our liberty depends upon the chaos and cacophony of the unfettered speech the First Amendment protects. - - ACLU v. Reno

Man: Well, what've you got?
Waitress: Well, there's egg and bacon; egg sausage and bacon; egg and spam;egg bacon and spam; egg bacon sausage and spam; spam bacon sausage and spam; spam egg spam spam bacon and spam; spam sausage spam spam spam bacon spam tomato and spam; Vikings (starting to chant): Spam spam spam spam...
- - Monty Python's Flying Circus

The cacophony of uncluttered speech is upon us. Or is it uncluttered any more? I have chosen to open this article not with a quotation from the Supreme Court decision on the Computer Decency litigation but rather from the more impassioned, and accurate, decision of the three judge District Court opinion which led the way. While the Supreme Court relied on legal arguments and on promises of blocking techniques that would supposedly enable parents and schools to keep out the pornography, the District Court judges grounded themselves by learning to use the Internet, even conducting some of the proceedings using Internet tools. Both sets of judges reached the same legal conclusions for very different reasons.

Both panels may have been right. But not for the reasons they thought, Blocking techniques have become important to the survival of the Internet -- not to filter pornography but to filter spam. Spam - the term as all computer congnosenti know, is derived from the Monty Python skits in which no matter what the customers wanted they got Spam.

In the online world there are two very different, but closely related types of spam. The first, and the primary subject of this piece, is unsolicited commercial e-mail, sometimes called "UCE." The second involves mass publication of articles in multiple newsgroups in the Usenet. Both present different problems with somewhat different cures.

Caveat: This article is not technical and I will not even pretend to understand the mechanics of the various techniques I will discuss. My focus is ultimately on the end user. How does all of this affect you and me?

One of the primary methods of combating Usenet spam is issuing "cancels" that kill or delete the unwanted commercial announcements. I recently read that spam and cancel messages combined may now total 80% of the postings on the Usenet. Even with vast increases in infrastructure, the amount of resources that must be dedicated to Usenet spam is incredible.

To give an idea of the scope of the problem my provider alone estimates that it filters approximately 100,000 spam attempts by E-mail a day. They also filter Usenet spams, and the rate of filtering there typically runs about 300,000 spams daily.

Unlike e-mail, the entire contents of the Usenet must be stored on countless Usenet servers around the world. So for resource reasons alone, the problem must be dealt with.

But there are greater reasons. Like the refrain on Monty Python, there is spam everywhere. Sometimes it becomes impossible to find what you are looking for in the sea of spam. Some of it is harmless, beyond the mere annoyance. But some times is more than that. Much of the spam is devoted to commercial ventures. Everything from pyramid and stock schemes to pornography that goes far beyond anything the proponents of the Computer Decency Act ever fantasized. Not merely content to invite the reader to sample their wares, the spammers frequently hide behind relatively innocent subjects and headers, and dumping files on our hard drive or revealing the basest forms of pornography at the inadvertent click of a mouse.

Don't misunderstand. I am not arguing against pornography. To each his or her own. To those who choose to seek it. But the presence of pornography which is forced upon the viewer will lead to a reaction which will not be healthy for the net.

I have heard that the "cancelers", those who have devoted time to canceling spam are on strike lately in an effort to force Internet service providers to take more drastic action against the large spammers and against sites that permit the promulgation of spam. And that leads to the place where I got on this merry go round.

Several months ago I discovered that I had not received several pieces of mail. As the techniques of the UCE spammers improves and develops, the source of the spam is not the return address on the message, but an ISP which inadvertently or deliberately permits itself to relay spam.

On some days my mail box fills up with spam. I have to hunt to find the real mail in there. "This is a one time mailing. You will not hear from us again," some assert. On that day I may have as many as four copies of the same message.

Some have compared spam to junk mail. But the difference is significant. The cost of junk mail is borne by the sender (and to some extent the Postal Service at bulk mail rates). From my end, all I need if I can avoid respondent to Ed McMahon, is a large garbage bag. This means that the volume of junk mail is somewhat limited by the cost.

But on the Internet the cost is shifted to the recipient. The UCE takes up space on the provider's server and in my mailbox. I have to spend online time downloading it and it contributes to my excessive use of disk space. (Since my html.log is now growing at about 7 megabytes a month and I have only a 10 meg allowance, every extra bit hurts.)

So, it was felt, something had to be done. Why should ISPs and users have to bear the inconvenience, frustration and cost of someone else's business. It is getting just too easy to send UCE. After sex, (now that I've quit smoking) the most common form of UCE is advertising for bulk mailing programs and lists of addresses.

Something had to be done.

There are basically four places spam can be 'blocked':
  1. By IP address (in routers or mail servers). Connections from hosts that are known to be sources or relays of spam can be refused entirely. They don't even get to offer the mail to the server.
  2. As it is received, unwanted messages can be 'rejected' by the mail server, either as a system wide default or per-user. The remote host offers the mail, but the server refuses to accept it.
  3. After it is accepted, mail can be filtered in the mail server, and the filters can then put it in the users's incoming spool, put it somewhere else, or throw it away. Generally this is done with 'procmail' and is on a user by user basis.
  4. After it is in the user's incoming spool, there are some POP clients that will examine the waiting mail and discard/store it. This is totally under the control of the user and does not require the ISP's cooperation.

The pitfall is the potential to reject legitimate mail. It is possible to catch a significant percentage of spam with a very low chance of discarding non-spam mail, but the closer one gets to blocking 100% of spam, the more likely it is that the filter will give a 'false positive' and refuse valid messages.

For some people, returning some good mail to the sender is worth the risk in order to get rid of nearly all of the spam.

So without initial disclosure to its users, It seems my ISP had begun to block the IP addresses of sources of spam. Usually the blocked source was one which dumped tons of spam on the site. But sometimes the blocked addresses were guilty of only one piece of unsolicited commercial e-mail.

The definition of inappropriate spam is not easy to agree on. Amazon.com was deemed a spammer because of its policy of sending announcements to anyone who had filled out a questionnaire or participated in a contest. The rationale for the blockade was that this was classic UCE because when the individual gave information to Amazon there was no disclosure statement indicating that the information would be maintained in a database for future commercial mailings.

Problem: Business transactions were blocked as well. Order confirmations and similar communications were blocked. At the same time, I wondered why my cousin in England had stopped responding to messages about our holiday travel plans. We had to burn up a few dollars on international phone calls because his e-mail had been blocked.

About this time, the ISP disclosed, in its support newsgroup that it had devised a form of spamblocking which had been in effect for some time. The provider eventually announced a method by which users could place a file in their directory which would give them control over the spamblock.

Essentially, through the creation of a .spamblock file in the user's home directory the blocking system can be configured. The user has the choice of accepting the complete set of blocks set by the ISP, substituting his own set of blocks, or adding to the ISP's list. The user can also "cut holes" in the list of blocked sites by including the IP numbers which should not be barred and finally, the user can turn off the whole system. Once a user creates his own .spamblock file, the system generates a log of all the messages that have been blocked. The contents of the file are gone. Just the source is revealed.

The last few entries in my log are the following:

Mon Apr 27 00:36:11 1998
     from: I like sex 
     subject:  hiya~! :op
     [204.119.177.

Mon Apr 27 11:15:17 1998
     from: pbs previews 
     subject: [200] pbs previews: April 27-may 3, 1998
     [38.8.14.
 

Mon Apr 27 22:21:00 1998
     from: ki8@yahoo.com
     
     [203.120.90.
 
Tue Apr 28 10:39:09 1998
     from: rebekahle@juno.com
     subjec: (bat shalom): 
     [205.231.100.

[Comment: This was definitely mail I wanted to get.]

Tue Apr 28 20:59:30 1998
     from: sabranet 
     subject: israel @ 50 - a sabranet time capsule
     [204.250.46.

Tue Apr 28 21:52:56 1998
     from: promo@pro.net
     subject: help someone living with a.i.d.s
     [207.68.143.

Tue Apr 28 21:52:58 1998
     from: promo@pro.net
     subject: help someone living with a.i.d.s
     [207.68.143.

Wed Apr 29 21:21:46 1998
     from: friends@hotmail.com
     subject: career opportunities....
     friend@

Wed Apr 29 21:25:23 1998
     from: friends@hotmail.com
     subject: career opportunities....
     friend@

Thu Apr 30 11:19:36 1998
     from: wowitworks@juno.com
     subject: need large income fast??
     friend@

Thu Apr 30 15:23:17 1998
     from: marketing services <1521.251@compuserve.com>
     subject: bulk E-mail without losing your isp!
     bulk E-mail 

The variety of mail is representative and interesting. Some of the messages are clearly spam which never would be missed.

However, at least one of the messages was one I really wanted to get in a timely fashion and another may have been. (I have mangled the personal addresses in the foregoing log to protect the innocent.) And how did PBS get on the list? In this case I "cut a hole" in the block for the regular correspondent by editing the spamblock file and I wrote asking her to resend the message. As to the other correspondent, I sent her (him?) a note inviting her to send me a note at another account which isn't blocked. However, as I will discuss below, serious issues arise with regard to users who are even less technically proficient than I am or those who don't follow the newsgroups and are unaware that their correspondence is being blocked.

You can see the details of my ISP's spamblock system in its FAQ in the section entitled Automatic user-configurable spam-blocking .

At first blush spamblocking at the ISP level seems an excellent idea but, perhaps through no fault of the ISP there are some problems with this system. First of all, the operators of ISPs have trouble recognizing that, believe it or not, many users of Internet services have never heard of a news group. Many are unaware of the existence of their home directory and have no knowledge, much less, interest in learning how to edit the spamblock file which must be created. For example care must be taken to use ascii. If the file is created locally and uploaded it must be transferred in the proper format (ascii, not binary) or it won't work. I edit my file on line using Pico from the shell. These are terms which mean nothing to many new users of the Internet who think of their e-mail like their phones and their answering machines. If someone sends a message they expect to get it.

Second, it takes a lot of time. Even though my name is out there on the Internet (a recent search of DejaNews shows nearly a thousand Usenet postings containing my address) I still had less than a dozen pieces of blocked mail in three days. I received at least. another half dozen or more pieces of spam in my mail that made it through. In order to make the system work, I had to edit the spamblock to include one IP number and I had to write to two blocked correspondents. To make the system effective, I should also forward spam that I receive to my provider to add to the universal log.

What to do? The answer is not easy. If it were only for myself. I would simply turn off the blocking as I have done before. It takes me far less time to delete the spam than to check the blocked-log and notify correspondents of missed mail and to edit the .spamblock. But spamblocking has other salutary effects beyond keeping my mailbox empty.

The spamblock system makes pariahs out of the relay sites and mass mailers. It puts pressure on the rogue ISPs to clean up their act. It costs them when their legitimate clientele learn that their mail isn't getting through they can take action by complaining or by leaving. In this way, slowly the problem may be addressed.

I strongly believe that the default setting for each user should be with spamblock turned off. Users should be invited and encouraged to turn on the spamblock. But there need to be easier ways for the average user to turn off and on the block and to cut holes in it.

I invited Karl Denninger, the iconoclastic CEO of my ISP to share his views on spam and spamblocking . He presents a strong case for system wide action and believes that for the system to be effective the default should be on.

But the vast majority of Internet users are unaware that their ISPs are blocking their mail. And if mail is being blocked communication is beginning to break down. And I have the feeling that we have just seen the tip of the iceberg.

Users of my ISP just learned that another form of blocking is going on. This is, it seems, even more justified that the spamblocking. It is called smurf blocking. Smurfs involve deliberate attacks on ISPs. The blocking techniqes are aimed at sites, frequently used without their knowledge, like university servers, which act to permit smurf attacks. The idea is that these providers will take action to blocking smurfs.

What is a smurf? I confess I don't really understand it. (My daughter sometimes calls me "Papa Smurf," but that is another subject.) In any event we had a crash course in the subject the last few days on our local newsgroup, You can find out more at http://www.mcs.net/smurf/ .

In order to learn more about spam and UCE I posted inquiries in a handful of newsgroups. (Not long ago even that small group of crosspostings would have been deemed a spam.) I received a number of thoughtful and interesting comments. I have not been able to include all points of view in this article, but here are some links to other relevant sites:

Thanks to all who responded to my requests.

For more information about spam filtering and related problems go to the newsgroup: news.admin.net-abuse.email but beware, the site is a hotbed of flames on the subject.

My final thoughts: It is clear that strong measures are necessary to combat the clutter. Not because it is annoying or distasteful, but because it threatens the Internet as a medium for communications. But subscribers should be affirmatively informed, not merely notified, that blocking is taking place and should be given user friendly tools to deal with it.


Errata [Otherwise known as "OOPS!!"]:

One of the advantage of writing online is that you very quickly find out when you are wrong. John Navas and others wrote last month to point out that the sky is not really falling. Some of the fears I expressed in my April article related to the move to the v.90 protocol may have been unwarranted.

It appears that V. 90 as implemented will generally be backwards compatible with whatever protocol was previously implemented by the ISP. Thus, users of Kflex ISPs shoud be able to continue to connect at Klfex speeds after the ISP upgrades to v. 90. The same is true of X2 providers. That is, subscribers with X2 modems should still be able to connect at X2 speeds after their old XT provider upgrades to v.90. But complete compatability between X2 and KFlex will not be available.

OTOH, most modems, except for a few deliberately backward compatible units. will probably not be able to connect to Kflex or X2 sites at Kflex and X2 speeds once they have been flashed. They will still be able to connect to those sites at v. 34 speeds.

This may not make much difference to many of us. Poor line quality and other difficulties between the end user and the Telco switch makes it very difficult if not impossible for many of us to regularly connect at the higher speeds in any event. I get connects above 28.8 with my Kflex only about 10 percent of the time and those connections degrade fairly rapidly. But then last week I sampled cable modems for the first time.

Anyone know a bank I can rob?

Back to Top

Copyright 1998 Leonard Grossman

Send your comments or questions to grossman@mcs.net

My essays regularly appear in slightly different form in WindoWatch Magazine which contains a wealth of fascinating information.

Back to my home page Notes from a ModemJunkie.

Back to Reflections of a ModemJunkie The complete archive of Reflections going back to 1992.

Created with DiDa! 5/2/98 8:34:48 AM.

Blue Ribbon Campaign
HTML 3.2 checked!
Background source as modified by Terry Sullivan