Junk E-mail and Newsgroup Postings, a.k.a. "spam"

E-mail is the single most prevalent use of the Internet, and the number of people around the world using it to communicate has risen exponentially over the last decade. Unfortunately, so has the level of Unsolicited Commercial E-mail (UCE) and Unsolicited Bulk E-mail (UBE) which have collectively come to be known as "spam" and which have in the last few years become a virtual tidal wave swamping the inboxes of Net users everywhere. In early 2003, the consensus among computing security experts was that as much as 40% of all e-mail worldwide was spam of one sort or another, and many predict that the figure will rise to as high as 60% within the next few years. It's not just e-mail, either. Commercially-oriented, off-topic postings to Usenet newsgroups are also considered to be spam, and continue to plague readers of the thousands of groups affected.

How did the term "spam" for this stuff come into use?

Spam® (note: capital 'S') is a registered trademark of the Hormel Foods Corporation for a canned meat product ("spiced ham") that has been around for more than 60 years. In the early 1970s, the British comedy group Monty Python's Flying Circus did a television sketch that revolved around the characters repeating the word "Spam" over and over and over and...well, you get the idea. It's not clear exactly when, but probably sometime in the early 1990s, when junk e-mail and postings really began to gain steam, "spam" came into common usage to describe them, and the Pythons' sketch is generally credited as the inspiration.

What, exactly, is "spam"?

First, let's be clear about what is not spam:

E-mail messages and newsgroup postings that are threatening or harassing are not considered to be spam. If you have received threatening or harassing e-mail or been the subject of similar newsgroup postings, or you feel the personal safety of yourself or any other person has been threatened via e-mail or newsgroup posting, you should report it directly to Penn Public Safety at 511 (on-campus) or 215-573-3333 (off-campus).

Having said that, pretty much any unsolicited e-mail you receive that pitches you products, goods, services, etc. for sale can be considered spam. When you do some things on the web, such as register new software or buy products from legitimate vendors, they often present you with a check box (usually pre-checked for your "convenience", meaning you have to actively un-check it to decline) that says something like "Send me information on deals and specials", and the box is often easily missed due to the way it's placed on the page. This can result in your receiving commercial e-mail that you don't remember "soliciting", but it's not really spam, since technically, you did ask them to send it to you, even if you didn't realize it. Most reputable web vendors and marketers, though, will honor requests to be removed from their lists. Spammers, on the other hand, rarely do (more on that below).

What if whatever it is the "spam" is selling is illegal?

Although the people doing the selling may not be entirely honest business people, in most cases the products, services, etc. contained in spam messages are, on the surface at least, entirely legal. There are exceptions, though, that include (but are not limited to):

• Child pornography - or more accurately, material depicting sexual activity involving a minor. Owning or distributing material of this sort is a Federal offense in the U.S., and holds similar status in most countries around the world.
• Illegal drugs and controlled substances - such as heroin, marijuana, explosives, etc.
• "Pirated" software, CDs, DVDs, games - sometimes called "warez", these are illegally copied programs, albums, movies, etc.offered at cut-rate prices, or even free in some cases
• Fraud - this includes chain letters of any sort, "pyramid" schemes (sometimes called "Ponzi" schemes) and, in general, fraudulent misrepresentation of the goods, services, terms of payment, etc.

If you receive a spam e-mail or newsgroup posting that you believe is promoting illegal materials and/or fraud, or otherwise constitutes criminal activity, report it to Penn Public Safety at 511 (on-campus) or 215-573-3333 (off-campus). There is one notable exception to this, though - the infamous "419" or "Nigerian Scam". This is a well-known "fee fraud" scheme that has been around for more than 20 years, but has multiplied many times over in the form of spam. We have a special page for it at http://www.upenn.edu/computing/security/advisories/419scam.php. In general, though, do not report Nigerian Scam messages.

Isn't "spam" itself illegal?

A number of states and local jurisdictions have enacted laws aimed at prosecuting people who send spam, however, a close reading of these laws shows that they are actually laws against sending e-mail with forged or fraudulent headers, and make no reference to content.

In 2003, Congress enacted anti-spam legislation that has come to be known as the CAN-SPAM Act, which states that in order for a commercial e-mail message to be considered legal, it must:

• Contain no false or misleading message header information - the "To:", "From:" and "Received:" (message routing) headers must be accurate
• Contain no deceptive or misleading "Subject:" header information
• Provide the recipient with a valid "opt-out" method to request the sender stop sending additional messages
• Identify itself as a commercial message and include the sender's correct, valid postal ("snailmail") address

As long as a message meets the above criteria, a commercial e-mail message generated in the US may meet the definition of "spam" - commercial and unsolicited - yet be perfectly legal. The fact, of course, is that the overwhelming majority of "spam" contains all sorts of bogus headers and misleading information. However, the larger problem is that even if valid, constitutional laws exist, they are to a large extent unenforceable because:

• U.S. law enforcement agencies do not have the time, resources and manpower to pursue what would likely amount to millions of individual complaints
• A major portion of spam sent to U.S. addressees comes from foreign countries which, in most cases, have no anti-spam laws at all, or if they do are likewise unable (or unwilling) to follow up and prosecute.

Why do they keep "spamming"? Nobody buys stuff through "spam", do they?

Available figures suggest that the "rate of return" on direct e-mail marketing is somewhat less than one percent, some peg it at about 0.75%. Compared to more traditional Third Class "junk mail" postal marketing, this is abysmal, but on the other hand, the cost to send several million e-mails is miniscule when compared to the cost of third class mailing of a similar number of printed flyers, etc. So, surprisingly, "spamming" turns out to be very profitable if the spammer has a big enough list of valid e-mail addresses. The plain fact is that spammers keep spamming because they are making money, because there are enough people who do respond to spam ads to make it worthwhile.

How do they get these addresses - including mine?

It is nearly impossible to keep your e-mail address "secret" or exclusive, no matter how hard you try. There are numerous ways that spammers acquire the addresses they bombard. Here are just a few:

• If you ever entered your e-mail address on a website, it might be used by that site, or sold or given to others for mass mailings
• Any e-mail you send out contains your return address. The original recipients may forward it on through a chain of others until it lands on a spammer's list
• If you use "vacation/out of office" replies on your e-mail account when you're away, you may be automatically generating a reply to each incoming spam message that confirms that your address is valid, and that someone is reading it (see "What should not be done about 'spam'?", below). This makes it more likely that your address will be sold/swapped by spammers.
• Spammers use "bots" to scan Usenet newsgroup postings for e-mail addresses, so if you ever posted to a group and put your e-mail address in the post, it may have been "harvested" in this way.
• Similarly, spammers' "bots" also cruise the web looking for e-mail addresses on web pages. If you have a personal web page that has your e-mail address on it (especially as part of a "mailto:" hyperlink), or there is some other page (departmental, school, etc.) with your address, they might acquire it this way as well.
• If you've ever subscribed to an e-mail discussion list, or listserv, it's possible that the listowner sold all the addresses to a spammer
• Spammers often probe large, well-known mail hosts (Penn has several) to learn active account names. This sometimes involves the "brute force" approach of attempting to send mail to every possible 8-character account name.
• If your e-mail address appears in an online directory, it may have been picked up by a spammer. Penn's online directory is at http://www.upenn.edu/directories. To update the information about you that is available to a search of the online directory, select the "Update directory listings" link on the main directory page (PennKey authentication required)
• Spammers also sell and swap "catalogs" of e-mail addresses among themselves. These catalogs are sometimes printed, but recently are more likely to be on CD-ROMs that contain literally millions of valid addresses.

What can I do to keep "spam" out of my inbox completely?

Here's a foolproof method:

1. Locate the cord (usually black, about 1/2 inch thick) coming from the back of your computer and going to an AC power socket on the wall or power strip.
2. Pull it out of the socket.
3. Never plug it back in again.

If you're not quite ready for that drastic a step, start by coming to terms with the fact that it is virtually impossible to avoid dealing with spam at some level unless you're willing to give up using computers entirely. There are some things you can do, though, that will help ease the pain of dealing with spam, even if it's just a little bit:

• The Direct Marketing Association's E-mail Preference Service (http://www.e-mps.org/en/) lets you register e-mail addresses that you would like to keep out of mailing lists. All DMA members (more than 4,500) are required to remove registered addresses from their mailing lists, and the service is available to non-members as well.
• If you receive spam that appears to be originate from a Penn user or computer, or appears to pass through a Penn computer (see "e-mail relays", below), contact Penn Information Security at security@isc.upenn.edu. Using Penn computing resources for commercial purposes is a violation of the Acceptable Use Policy. Be aware, though, that e-mail headers are very easily forged, especially the "From:" and "To:" headers.
• If the spam is coming from off-campus (and this is the case well over 99% of the time), and you want to be more proactive about it, you can attempt to identify the spammer's Internet Service Provider (ISP) and send a complaint directly to them. This sometimes yields results, and some ISPs will be very responsive, but be aware that is easy for spammers to simply change ISPs, or open a phony account with one of the free e-mail services (Hotmail, Yahoo, et al) and pick right up where they left off. There are a number of web-based services that will help you trace and identify the sources of spam (as much as is possible - spammers are very crafty). Probably the best known is SpamCop (www.spamcop.net) .You can do this yourself, of course, but you'll need to know how to interpret e-mail headers and do a whois lookup. A good set of free tools for this can be found at http://www.samspade.org

With regard to Usenet spam, there are rules on Usenet relating to the posting of multiple copies of the same "article". When the thresholds are exceeded, the posting is termed "spam" and cancels for the posting can be issued. This definition relies solely on message count, not content.

In general, for postings to newsgroups in the upenn.* hierarchy and for postings in outside newsgroups by Penn people, Penn will follow the Usenet rule-of-thumb that 20 or more copies of essentially the same article will be cancelled. There are a number of adjustments to that rule-of-thumb to deal with excessive cross-postings, and to deal with multiple postings spread out over time. Cancellation will not be automatic - please report any spam postings meeting the above description to abuse@upenn.edu for cancellation.

If you are a regular poster to Usenet, you can reduce your "spam profile" to some degree. One technique is to avoid putting your actual e-mail address in a posting (either in the headers or the text of the post) in a form that can be interpreted and collected by a "bot" (automated web-crawling software application that combs websites, newsgroups, etc. for data). For example, if your e-mail address is john.doe@myschool.upenn.edu, and you regularly append a signature to your newsgroup postings that contains that address (usually so people can make off-group, private responses), then you might want to consider editing the signature in such a way that an actual human can still recognize and interpret it, but a "bot" will be unable to. In this case, a couple of possibilities might be:

john-dot-doe-at-myschool-dot-upenn-dot-edu
johnx.doex@myxschool.upenn.edu (remove 'x's for correct address)

You can also do this with the configuration for your newsgroup headers. Be aware, though, that if you use the same program to read and send both e-mail and newsgroup postings (Netscape, for example), the headers for both e-mail and newsgroup will use the same configuration settings. Normally, you do want your e-mail headers, especially the "Return Address", to be accurate, so if this is the case, you may want to consider using different programs for e-mail and newsgroups.

What should NOT be done about "spam"?

Don't try "fighting fire with fire" by "e-mail bombing" the suspected spammer - remember, the return address is almost certainly forged, and you may leave yourself open to a complaint from an innocent third party. Also, there have been instances where spammers subjected to this sort of "return fire" have turned the tables and successfully prosecuted the responsible party.

Do not use the "Click here to be removed from this list" links that are often found in spam messages. All you will do is give them a response that tells them there is a live, breathing person at the other end who is reading that address - which is exactly the kind of information they want to know. Letting them know you're there is a sure way to get even more spam.

Aren't there ways of filtering "spam" out at the mail server?

There are many people devoting a great deal of time and brainpower to coming up with accurate and efficient ways of filtering out spam before it gets to your mailbox, and a lot of progress has been made, but it's still a very inexact science. As quickly as new rules and methods of filters are devised, the spammers tend to be able to work around them and/or come up with new tricks. The problem is that, no matter how good the filters are, there will always be some level of the following:

• "False positives" - legitimate e-mails that are flagged as spam.
• "False negatives" - spam that makes it through the filters and is considered "OK"

The possibility of false positives, in particular, requires that instead of sending messages flagged as spam directly into the trash, they must be directed into some sort of "quarantine" mailbox until the user can inspect them to make sure that one or more important, legitimate messages haven't been wrongly flagged. Although this probably doesn't require as much user time as current user methods of handling spam, it does significantly cut into the presumed time savings of filtering. Also, many system administrators are reluctant to implement spam filtering due to the added processing time and load it places on the system.

That said, though, a number of large mail hosts at Penn have begun offering spam filtering services - check with the support staff for your mail host to find out more.

Can't there be a list of addresses I don't want to receive e-mail from that can be blocked at the server?

For a variety of legal and policy reasons, for Penn-owned e-mail servers, the principle at work is the University cannot determine who is or is not allowed to send you e-mail, in the same way that no one can dictate who can and cannot send you postal mail through the U.S. Postal System. Many programs for reading e-mail (Eudora is a notable example) have filtering capability, and you are entitled to use it to set up your own local filters. Remember, though, it could end up being a long list of filters - spammers change addresses frequently, and use all sorts of tricks to get around filters. Your machine may end up using as much or more processing time and power in running the filters as it would have taken to simply delete the messages.

What is an open e-mail relay, and what does it have to do with "spam"?

In the early days of the Internet, it was literally possible to know not only the name and address of every single mail server on the Net, but also every person using those servers. The Net was a relatively closed community whose members had a level of trust in each other that extended down to the computers attached to the network. To facilitate the flow of e-mail traffic around bottlenecks, the original e-mail specifications - which are essentially still in use, unchanged - provided for mail servers to "trust" each other enough that Server A would "relay" mail from Server B that was addressed to Server C in the event that the most direct path from B to C (say, through D or E) was slow or unavailable.

As more and more people began using the Internet, this sort of trust relationship became unworkable and, more to the point, dangerous, as it allowed e-mail tricksters to more easily "hide their tracks". Security-conscious system administrators began turning off the "relay" function, and it is now standard practice not to allow a mail host to act as a relay.

In recent years, particularly with the popularity of operating systems like linux that usually include capability to be set up as a mail server, more and more mail servers are coming online. The problem is that in some cases, the "relay" function is enabled by default, and the people setting up the server aren't experienced enough to know and understand the ramifications. Or, in some cases, the setup routine asks "Do you want to allow this to act as a mail relay?" and the installer will answer "yes", again without understanding what it really means.

Today, however, what happens much more frequently is that virus writers include a feature that turns a newly-infected computer into an open e-mail relay (in addition to all the other bad things it does - yet another reason to install and use anti-virus software) which spammers will actually pay to use to "funnel" spam messages.

An open mail relay is pure gold to a spammer, and they scan for them constantly. If they find enough of them, they can pour millions of spam messages through what is, essentially, an untraceable network. Open relays are a major link in the "Spam Road".

When an open mail e-mail relay is found at Penn, Information Security will request that the owner or administrator close the relay or take the server off the network until the relay has been closed. If the owner or administrator cannot be located, or refuses to close the relay, Information Security will request a port disconnection under the Disconnect Policy.

OK, I'm running an e-mail server - how can I find out if I have an open relay?

Visit the SpamHelp site at http://www.spamhelp.org/shopenrelay/, where you can test your system, plus read a whole lot more about open relays.

Last updated: Monday, February 25, 2008