00/09/12 RMIUG Meeting Minutes - SPAMFest 2000

Dan Murray called the meeting to order at 7:00. About 40 people were in attendance. He introduced Art Smoot and Tom Bresnahan from the RMIUG executive committee.

Next, Dan opened the floor for announcements:

- Eric Payne, a MicroStaff recruiter, introduced himself and invited all interested parties to view the available positions on the MicroStaff web site: http://www.microstaff.com

- Tom Bresnahan reminded Colorado SuperNet dialup users to check their mail for the USWest.net CD containing the letter canceling SuperNet dialup accounts as of Oct 6, first posted on the RMIUG-discuss mailing list by Alek Komarnitsky on Sept 11. Many have already thrown away this CD without realizing it was a notice of cancellation.

- Jeff Finkelstein jf@persona.com announced: I wanted to give everyone an early alert on two free consumer privacy products that our company is about to release. The first is a downloadable toolbar called Valet that is a P3P-reader, an enhanced cookie-blocker, and also has server-side bookmarks and auction search function. The second product is called PersonaMail, and is a server-based email spam filtering and forwarding service. A user will register for an email address @personamail.com, and set server-based rules on what email will be forwarded to their primary email account (block by sender, domain, or create more advanced rules). The filtered mail is stored on our system, and a summary email containing the from and subject lines of the filtered emails is sent to the user on a daily or weekly basis. Please contact me by email at if you are interested in either of the two products; I will let you know as soon as the products are available.

- Marci Bowman/Boulder/Contr/IBM marcib@us.ibm.com recommended a web page concerning privacy issues that makes "interesting (and scary) reading". http://joel.editthispage.com/stories/storyReader$139

- The Boulder Community network needs help and volunteers. Contact Jim Harrington jimh@bcn.boulder.co.us Director director@bcn.boulder.co.us

----------------------------

The first speaker was Charlie Oriez coriez@oriez.org, a leading anti-Spam expert. He has almost 30 years in the I.T. industry, including over 5 years on the Internet as a web author and owner and/or administrator for a number of domains. He is also National Legislative Chair and past Mile High Chapter chair for the Association of Information Technology Professionals. He regularly comments on spam and other Internet issues for the Information Executive newspaper.

You don't need to be an expert to fight spam.

Spam has a cost. In a survey of Internet Service Providers (ISP's) (1): - 94.0% reported that spam irritates their subscribers. - 79.5% reported that UCE (unsolicited commercial e-mail) slows system performance. - 75.9% stated that it increases operating costs. - 33.7% said it creates system outages. - 58.5% reported daily or more frequent impact. - 28% said weekly impact. Source CIX (Commercial Internet eXchange Association) Q. How can spam cause a system outage? A. Excess mail can clog up the mail servers, preventing non-spam e-mail from getting through.

America Online testified to the Federal Trade Commission that one-third of their capacity was used to carry spam.

Netcom reported that their cost was one million dollars per year.

Brightline estimated a cost of $225 million, based on 5 seconds of processing time to hit the Delete key, with an average of 200 spam messages per year (a very low estimate). An estimated 25 million spam messages are sent each day.

What are some of the top lies of spammers? Lie - They have the right to talk. First amendment right. Truth - You have the right to complain.

Lie - They're just honest businessmen trying to make a buck. Truth - Most ISP's have an acceptable use policy (AUP) prohibiting spam. All users, including spammers, agree to this policy when they set up an account with the ISP. If the spammers lie to their ISP, can you believe what they tell you?

Q. Some marketers set up their own ISP's to get around this requirement. A. Even ISP's have to sign with upstream provider that they won't spam. Q. What if I buy a T3? A. IP level service requires the same anti-spam contract.

Lie - There's no cost if you hit Delete. Truth - You're still paying for the cost of the ISP's servers and bandwidth, not to mention the cost of your time to read the headers and hit the Delete key.

Lie - You're saving trees with spam. Truth - Have you ever gotten spam from someone who previously sent you something on paper? No. The Sierra Club's position is that it degrades signal to the point that e-mail is losing usefulness. They use MAPS to block spam. Q. What is MAPS? A. It's a set of databases that ISP's use to block spam. http://www.mail-abuse.org

Q. SB 1618 says this isn't spam because there's a remove address. A. Two problems with this. 1) 1618 doesn't define spam, it just says the message can't have forged headers. 2) 1618 died 2 years ago.

Q. Should I respond to the spam address to have my name removed? A. No. You're validating your address and saying you read spam, so he can sell at a higher rate. It's probably not a valid address anyway. Hotmail and Qwest say never respond to spam.

Spam Law 101. IANAL (I Am Not A Lawyer) The Colorado anti-spam law CRS 6-2.5-101 was passed Aug 2. You can sue the spammers. You can't sue in small claims court unless they're in Colo, and you have to sue in their county court. Provisions: - Have to have ADV in Subject, this might get struck down. - Can't have forgeries. Handout example shows invalid return address techspot.com. - Have to have a valid remove address, but even a valid address could get killed by the ISP if they get complaints about spam from that address.

HR 3113 passed the House, now in Senate. They might not get to it, not scheduled for a vote, so not likely to pass in next three weeks. Any bill that has not passed when the legislature adjourns in an election year is dead.

Q. What is your view of Colorado bill that seems to sanction spam as long as it has ADV in the header? A. The Colorado bill says that no ISP can be sued for blocking spam. Harris (the pollster) met the criteria. MAPS but them on the list. Harris wasn't doing single opt in, verifying that you were the one subscribed.

Q. Are there any cooperative agreements between states? A. Not that I know.

Some laws are effective, like ISP contracts that prohibit spam and support services. I-Bill used to handle credit card for porn spammers. I-Bill no longer supports spammers.

- Trespass to chattel. Flowers.com was forged by a domain in San Diego. The flowers.com servers were down for 3 days. They sued and collected from spammer.

Cyberpromo sued AOL on the basis that they had a monopoly on ads. Didn't work.

Most Rogue spammers pay cash for a cheap account, spam for 24 hours, then get out. Most find open servers that aren't secure. Open to mail that anyone sends.

Things your ISP can do to fight spam: - Have an AUP acceptable use practices (contract). If you breach contract, you agree to pay $50 per complaint and cleanup costs per bounce received. Cancellation of spammer should be as fast as possible. If the ISP takes it's time, you'll get reputation with spammers that you're friendly. -RBL DUL RSS are databases supported by MAPS (spam spelled backwards) Mail Abuse Prevention System. RBL blocks traffic to 40 % of the Internet. It's a list of IP addresses of spammers. - RSS is the Relay Spam Stopper. 17% of mail servers are insecure. RSS is an open server list that is verified. MAPS will send email to postmaster@badserver saying that mail is being blocked, here's how to fix it. MAPS checks RSS, RBL. Redmond WA. If make you make an unverified complaint and the ISP doesn't respond, you should call the ISP next. RSS is more technical because they can test the open relay. DUL is the DialUp List. The ISP's provide list of IP's that will never send valid e-mail. ORBS works like the RSS relay detector with a difference: ORBS will list open relay servers even if spam isn't sent through. ORBS checks a lot, and ISP's may consider this abuse of network and block ORBS. If you block ORBS, they will list you as a suspected spammer.

Q. Are there more Insecure severs because of Linux? A. I don't know.

Things NOT to do: - Don't respond to Remove. - Don't mail bomb. Don't assume address on spam is where it's from. - Don't buy from spammers.

Things you can do: - Complain effectively. - Find an ISP that uses MAPS. I get 3 a spams per week from Nilenet vs 10 a day from RMI. - Protect your email address. Don't give a valid address. Don't use a made up address, it may exist. Use me@privacy.net when giving an address. Use a throwaway address on Usenet newsgroups. - Always uncheck the consent to spam boxes on signup forms.

How to complain effectively: - Spam cop generates complaint emails with expanded headers. It's gotten a lot better. - Sam Spade is his favorite (Windows based). - Combat is an online version of Sam Spade. - Abuse.net (Internet for dummies guy runs this). He maintains list of correct addresses to complain. If you send complaint to aol.com@abuse.net , it is forwarded to the right address.

Download the PowerPoint slides for this presentation at: http://oriez.org/spam.ppt --

The next speaker was Geoff Mulligan geoff@mulligan.com, CEO of Interosa. He is an experienced leader in developing new technologies. Before joining Interosa, Geoff was a founder and senior engineer for Geocast Network Systems where he was focused on system software and network design. Prior to that, while at Sun Microsystems as a Senior Staff Engineer he was the principal architect for Sun's premiere firewall product - SunScreen and a founding member of the Internet Commerce Group. While on a sabbatical from Sun, Geoff helped start USA.NET, a global eMessaging Service Provider. Prior to joining Sun, Geoff worked at Digital's Network Systems Laboratory developing the DEC SEAL firewall, developing Networking courseware and researching email issues. Before working at Digital, he spent 11 years in the Air Force working at the Pentagon on computer and network security, building local and wide area networks and teaching computer science at the Air Force Academy. Geoff received a master of science degree in Computer Information Systems from the University of Denver and a bachelor of science degree in Computer Science from the United States Air Force Academy. He authored the book "Removing the Spam" and holds patents in network security and electronic mail.

Spam is like junk mail that you have to pay for (with postage due). It doesn't cost a spammer much, just pennies to send to millions of messages. They use dictionary attacks, like name in the book at aol.com and sun.com just to get two hits. So they don't care if they waste bandwidth.

Definitions: UCE - unsolicited commercial mail. UBE - unsolicited bulk mail. There's nothing for sale, but they may be trying to get you to do something.

Spam used to mean crossposting to different Usenet newsgroups where it shouldn't be, like posting a UNIX question in a Windows group. The first case of spam was a DEC sales person who decided to send it to ARPAnet. If you're interested in DEC computers give him a call. He sent 3000 messages in 1975. The green card lawyers in Arizona crossposted to 5900 newsgroups. They were roundly chastised, then they went on the book tour. Now they are disbarred for another reason; they didn't do what they advertised.

Usenet software started blocking crossposting, so spammers came up with using email instead with open relay servers. They can send one 2K message with 1000 addresses, and the ISP has to send out 2 MB worth of messages. Half the messages are not valid, so they bounce back to the server, slowing it to a crawl. It happened to me when I was working for an ISP in Maryland, but I was in Colorado. I researched what to do to prevent it, and wrote the book.

Q. How will it affect companies like MessageMedia that send lots of permission based e-mail? A. Send messages round robin to several mail servers at one company so you don't hit the timer limit. Sendmail can limit number of addresses in each message.

Stopping spam starts with you. Don't have open relays. The original version with Solaris was an open relay. Linux - Red Hat current versions have newer sendmail so it blocks open relays by default.

As soon as an anti-spam book comes out, spammers come up with a way around it. Get the latest version of whatever you're using, like sendmail 8.11.0.

Turn on anti-spam options like RBL (Realtime Blackhole List. RBL is supported by sendmail 8.10 and 8.11. The original Blackhole list used routing tables that routed packets to a black hole. This was an effective way to stop access to their web site, mail, ftp, everything. An easier way is to block it in sendmail, and the spammer gets a bounce saying we don't accept mail from you. You used to have to maintain your own list, but now that it's maintained, it's easier to get the good ones off the list, get the new ones on the list.

Q. How big is the RBL? A. Thousands. The open relay list is 50,000.

Filtering on the server (like procmail) better than filtering on your end.

Educate users. Teach what it means to be a spammer. The e-mail about the little boy who needs get well cards was a hoax. This type of mail, and chain letters are spam. You've got to pass it on to see the flying horse on the screen. Bill Gates will not donate money if you forward spam.

Q. What is the response rate? A. Since it only costs a spammer $10 to send spam, a one out of a million response is enough for them to make money.

Spammers should have to find those who want to see spam. Some people do buy from spam.

What you should do when receiving spam: - Don't respond. - Don't attack them back. Could mail bomb the wrong person. - Do report them to MAPS or Abuse@isp.address. See also http://www.abuse.net.

After this section of the talk, Dan gave away a copy of Geoff's book, courtesy of SoftPro ( http://www.softpro.com ). --

The third speaker was Steve Senator sts@senator.org. He has over 25 years experience in computing, having served as a programmer (scientific, systems, and network programming), analyst/programmer, systems and scientific systems analyst, systems and network architect, fault tolerant system designer, project leader, independent consultant, teacher and engineering manager. Steve's professional passion is problems of fault tolerant system design, the inception of which was his work on whole operating system checkpoint-restart mechanisms at Tandem Computers. Recently, Steve has applied lessons learned there to file system hardening at Sun Microsystems, on virtual private networking at the Granite Canyon Group, and as a consultant on numerous Internet-enabled projects. Steve holds six patents, chiefly in the area of file systems and device drivers. Steve holds a bachelor of arts degree in geological sciences from the University of Pennsylvania.

E- mail is the most widely used application on Internet. In 1969 people were sending files. SMTP grew out of this. Protocols at that time were trusting. The community was different then than now.

E-mail protocols lacked: - Integrity to detect modification of data. - Identification to label originators and recipients. - Authentication to verify identity. - Privacy to recode content for authorized parties only. (Note: this is not the same as confidentiality.) - Non-repudiation to certify message composition, transport, and receipt.

Efforts to add these features to e-mail include: - Privacy Enhanced Mail (PEM). - Multipurpose Internet Mail Extensions (MIME). - MIME Object Security Services (MOSS). - Pretty Good Privacy (PGP, OpenPGP). - Secure MIME (S/MIME).

Security features are not necessarily convenient. PGP only had a 50% adoption rate at a university where it was mandated. Secure MIME is gaining some ground.

Convenience and Security Bruce Schiner quote: "Given a choice between dancing elephants and security, most people will choose dancing elephants." People will choose features and convenience over security. However, Ben Franklin said: "Those who prefer security to freedom are destined to achieve neither."

Sever-based protocols exist to build in trust. - DNS SEC (RFC 2535, March 1999) - to construct the "web of trust" of SMTP servers - Secure SMTP (RFC 2487, Jan. 1999) - to implement transport security These aren't widely used. They are brought down by Least Common Denominators. People want to communicate with untrusted sources.

Products: The only one is Wietse Vanema's PostFix (open source).

The Zen of combating spam: It's not products or technology, the community needs to be educated.

Social protocols - MTA filtering MAPS ORBS - Mail storage mailbox filtering. Implement at server level - MUA filtering - Mail User Agent like in Outlook.

Public DNS Spam Anecdotes - Public DNS servers have to adhere to AUP (Acceptable Use Policy). No money collected is collected, but it's not acceptable to send spam. - These servers redirect all web traffic to anti-spam resource pages such as the Coalition Against Unsolicited Commercial E-mail ( http://www.cauce.org ) and the Federal Trade Commission ( http://www.ftc.gov ). - There are approximately two spam incidents per week.

Spammers are trying to establish a brand with a domain name. Public DNS sends a message to any domain name referred to in spam.

If a domain moves to another provider, TTL (time to live) is set to 6 months.

Create anti-spam communities by talking to upstream providers, talk to friends, other fighters, post anti-spam web pages.

References: - Crocker: "Internet Data Object Security" ( http://www.brandenburg.com/articles/datasecurity/ ) - IBM AlphaWorks, "SecureMail". - David Brin, "The Transparent Society". This book details how society must change in a networked world. Basically he says to let everyone see his stuff, but charge them for it or at least notify him. - Lawrence Lessig, "Code and Other Laws of Cyberspace". Source code can regulate our cyberspace activities more thoroughly than any law. - Amitai Etzioni, "The Limits of Privacy". He says that the FBI should be able to override privacy if reading encrypted messages would prevent a terrorist attack like the Oklahoma City bombing.

Read Woody's Office Watch to see what Microsoft is doing with your Passport ID in the Save My Setting wizard. ( http://www.woodyswatch.com/office/archtemplate.asp?5-n17 ) ---

Trivia question What is the origin of the word spam? It's from the Monty Python skit about a restaurant where everything is spam and it drowns out everything else.

Q. Any good filtering clients? A. - Eudora has good filtering. - Outlook Express has a learning feature. But you can't be sure what it's focusing on. - Spam Buster is a good tool. You should have a way so you can check to see what it's doing. - Spam Blocker (Windows). Procmail under Linux, Unix. Not easy, but a good tool.

Q. Jeff Finkelstein jf@persona.com announced that his company is coming out with a server tool for filtering spam. Sign up for a throw away account that will keep all your e-mail and send you just the headers. A. Geoff - The problem with client side software is that it has to come all the way across the Internet. Charlie - There was an IP address that was used by an old spammer. A new company came in that used that IP address. Local lists aren't cleaned up as often, so if an IP is reused, it could be a valid non-spammer. POP or IMAP read the headers first and use that to filter so it uses less bandwidth. Steve - A filter should look at the header and content on the server side so you don't have to download them all. You'll want to check for rules that are used for the filter. If you filter for "!!!!!", and your a friend uses lots of exclamation points, his mail won't get through, so you may need to modify the rules. People in newsgroups use xxxNOSPAM@xxx.com for their return address, with the instruction to delete the "NOSPAM" to respond.

You could get a free geographic domain like yourname.boulder.co.us, and use different addresses in different newsgroups and mailing lists to track where the address is harvested.

Q. Does the anti-fax law apply to spam? A. Probably not according to the legals.

- Fighting spam is not about content. However a lot of the content is illegal. If you get spam selling pirated copies of Microsoft programs, send it to Microsoft so they'll go after the spammer. If you get a spam with a "pump-and-dump" stock scheme, complain to the SEC. Chain letters that have you send a buck are violations of US Postal Service law. They have a web form to report this. (http://www.framed.usps.com/websites/depart/inspect/fraud/MailFraudComplaint .htm)

Dan adjourned the meeting at 9:00 pm.

Respectfully submitted by Tom Bresnahan.