Spam Fighting Part 3: No Offense

By Ed Hurst | Posted at 4:26 PM

What can you, the individual or small business Internet user, do? Plenty! The first and most obvious step is to choose carefully your hardware and OS. Since there are tons of articles already addressing that, and new ones every day, I won't say much more than this: when you can, avoid Windows as severware. It is on the workstation and desktop where you are more likely to have required applications that only run on Windows. Too often each piece of the software matrix has a separate price tag. If there is an Open Source application or combination that does the same job, spam fighting tools for example are built in at no extra cost. When properly configured, they are more resistant to attacks. My own local ISP has joined many others in making the switch to Open Source, with Linux servers now replacing most of their Windows servers simply for reasons of cost and service.

The reason I chose them, in spite of their being a Win-house at first, is that they truly serve the customer. They willingly shoulder the burden of caring for their clients, and do so better than other local or national providers, in my estimation. When you choose a service provider, one of the service issues about which you should ask is if they take a dim view of spam. Mine runs filtering software and uses a blocklist, too. They shut down port scanners and spammers from within their network, and have configured mail service to prevent relaying from the outside. Theirs is, and yours should be, not just a policy statement about abuse, but a track record of trying to stop it. Anti-spam activists refer to "pink contracts" as those which a service provider will offer abusers, at higher rates, to turn a blind eye. Watch out for hosting advertisements that say "bullet-proof hosting" -- a phrase that typically means pink contracts are available. Also, keep in mind that if you really need e-mail service, contracting with the wrong ISP will not do you much good, as they will likely be blocklisted.

For now, there is no effort to provide a consumer-friendly rating service of ISPs. You have to google for their various corporate names and see if they are listed often on the various abuse-related newsgroups (hint: include the word "abuse" as a search term). Further, you have to take the time to read the postings and try to gauge just how negatively they are viewed by those reporting abuse. Finding a so-called "white hat" ISP can be quite a chore. I observed an off-the-cuff poll of the worst sources of spam, and most of it went like this:

  • UUNET
  • Comcast
  • < li>ATT
  • Verizon
  • T-Dialin
  • Chello
  • EV1
  • Anything containing the word "Bell"
  • All major ISPs in Canada
  • Most of Asia, but especially China
  • Latin America
  • France
  • Italy
  • Israel
  • Nigeria

Listing white hats was a bit less enthusiastic:

  • Hosting Matters
  • ARACNET
  • ELI
n

and any number of smaller, local ISPs. There's no doubt both lists could be longer, if the activists cared to speak. Personally, I might endorse the part about Asia being a spam haven, since the majority of my own spam links to sites there, if not coming from there directly. However, I can't say much about the rest for the simple reason that I see insufficient traffic to judge. A few that were named struck me as being better than their reputation. However, I can verify at least the three listed as good-guys, because I've dealt with them myself, as well as dozens of small ISPs who were on the right side.

It must be noted here the spam-friendly provider does one or both of two things. First, they may permit spam to be sent from their IP space. There are plenty of providers selling service online and taking orders, and of course payment, online as well. I don't think there's any way to filter at that point who is establishing an account. Many providers thus become a source of spam in the sense that they are misled and abused themselves by a dishonest customer. After the spammer makes their first run, the complaints come back, as well as bounces, etc. If the provider closes that account pretty quickly, they are probably doing as much as can be expected. Some take no action, or take forever to enforce their own written policies. The second problem is hosting for spammers. Most spam directs you to a webpage somewhere. If the provider investigates and closes those accounts down, call them "good." If they ignore or reject such complaints, call them "bad."

If you plan to be a provider yourself, do your part and wear the white hat. If your business provides other online services, hold to high ethics. There are plenty of good r guidelines on how to run a mailing list, and way too many that encourage doing it wrong. The Direct Marketing Association (DMA) is your enemy. The shortest description of good list management is to make it challenging to get on the list, and easy to get off. Only an idiot believes harassment is a valid sales technique.

Finally, secure your equipment from outside exploitation. Find a website that regularly reports software security alerts for your type of system. Consider subscribing to mailing lists where patches for your system are announced. Don't buy or lease or install what you can't take care of, until you can do the job professionally. If you can't do it yourself, hire someone who can. The days of freewheeling connectivity are gone and our innocence cannot be regained. Fortunately, while there are plenty of so-called "open mail relays" still around, it's nothing like it once was. These machines allow anyone to connect as a client and send out mail as if it came from that machine. A secure OS will resist various attempts to take control from the outside, either by way of a virus or by direct manipulation. Run virus scanners, firewalls, and restrict permissions as tightly as practical. Train your clients and users to take it in stride, and never let anyone else know your passwords.

Good Defense

When your own house is clean, you are in a position to complain about your Net neighbor's junkyard. When you get spam, simply pushing the DELETE key is not a real answer. You won't have to do it much if you use some sort of filtering and blocklisting. There are at least a dozen blocklisting services; pick one or more. What gets past that is the point of action. Don't just delete them, react aggressively to them.

First, learn how to shut off features in your mail client that feed spammers: HTML, graphics loading, JavaScript, etc. Spammers love it when people use those fancy all-in-one mail clients. One trick is to send a "blank" message that is actually a link to an invisible graphic. Mostly, it's a single square screen pixel that is transparent, and the message appears to be empty. When your e-mail client loads the message, the unseen HTML code directs it to download this tiny graphic, which takes almost not time at all, but signals clearly to their server that your address is a real account, with somebody is reading the mail. Then, lots of spam will follow. Another trick -- and we all probably wonder why people still don't know better -- is to send an attachment that executes commands when you try to open it. That fancy feature designed to make it easy to send highly formatted documents and images also makes it easy for someone to turn your computer into a zombie for their use later.

In short, act as if your mail client is text-only. It helps if that's actually the case. All those fancy features may be entertaining for some of the messages you do want, but each offers a security risk that spammers abuse. Technically, you should avoid sending or receiving e-mail messages that include anything except plain text in the first place. When you can, remind your correspondents of that standard. Discourage the sending of attachments unless absolutely necessary. It's better to put in your message a link to a safe website where files can be downloaded. The use of e-mail does have a standard, by the way. Learn other good practices, such as deciding carefully when you'll use your real information filling out a webform.

Second, I would encourage everyone to learn to read mail headers. I realize that many people have neither the time nor inclination for that. Still, the more the merrier. There are numerous guides on this, so it's not as hard as you might think. The simplest is at UXN. Longer and more detailed tutorials are listed on pages such as this page. More importantly, learn to discern forged header entries, so that you can ignore them. Some good filtering services do a pretty fair job of pegging them for you, but you'll need to know enough to double check for accuracy. Make sure that your e-mail client is capable of displaying the headers, and that you know how to activate that feature.

Third, read good tutorials on tracking down the sources of spam. Get a feel for how spammers operate. It's more than just a matter of discerning the IP address from which the spam was sent, but the websites to which spammers are trying to draw you. Learn how to decode attempts at hiding URLs in obfuscated HTML code, 64-bit blocks, etc.

Fourth, try to understand the structure of responsibility on the Net. Everybody who connects is responsible to somebody else for adhering to a service contract. Get to know about DNS, domain registration, and the various tools for finding that information. When you get spammed, you have an inherent right to complain. Never doubt that. You, too, are paying for connection, and you didn't pay for abuse. When you lodge a complaint, no one can rightfully call that harassment. That doesn't mean they will properly act on your complaint, but that's another matter. When you add your voice to the chorus of those who insist on appropriate Internet behavior, you increase the chances we all have of winning the war against Internet abuse.

Taking that information together should result in a LART : Loser Attitude Re-adjustment Tool. Spam fighters like to represent that as a mallet, with which to proverbially hit someone over the head. In it's verb form -- to LART -- it usually refers to the activity of making a formal complaint to various agencies. Your LART should be a simple statement of the facts with evidence to back it up. Make sure you know how to get a complete copy of the whole message, with the full headers as you received the message, and include it in your complaint. This is forwarded to the provider of the spammer's outgoing e-mail message service at a minimum. Since the return address is almost always bogus, you can ignore that and identify the source IP address and its owner. In the US, it used to be a good idea to include a copy to the FTC (uce@ftc.gov). They've started bouncing those copies from time to time. While they never took direct action, they used to monitor the extent of the spam problem by the amount of junk forwarded to that address. I suspect it's gotten too big for them to handle anymore. Other nations may have similar policies currently active.

The more complicated part is identifying the service provider who hosts the spammer's websites. Whether the spammer owns the website or not doesn't matter. The owner of the website offering whatever the spammer advertises almost certainly pays the spammer for referrals, if not for the mere act of sending spam. "Follow the money" as the saying goes. This is the part of LARTing that is most discouraging, in that most of the hosting services that are willing to act on complaints have driven the spammers off and word has gotten around. Places that ignore such complaints are also well known among the spammers. However, as a matter of principle, I always include them for a copy of my LARTs. Who knows? There could be a change in management or something. I hear it has happened before.

Simply forwarding your spam to these addresses would be pointless without some sort of explanation to the recipients. Briefly state the problem, such as "UCE from IP xxx.xxx.xxxx.xx" with perhaps a comment why you believe that IP is the right one. In another paragraph, tell the spammer's host about the links in the message to their IP space, including the data that proves "www.domain.spam" is hosted on IP address xxxx.xxx.x.xx and is in their webspace. Some people add the results of a whois search. The copy of the original spam message, headers and all, goes at the bottom.

For my more motivated readers, a bit more challenging is to seek out such information as who provides the spam site's DNS and registration. Serious technicians can reveal some amazing data on this. Often you'll find everything runs in a closed loop: the spam site is hosted in one country (spam-friendly), the DNS service in another, and both are often registered by the same small circle of friends. I've seen where the registrations are chained in a series pointing to next link, and the next, and so on, with none of the registrations containing completely valid information. The registrar for this mess may reside in yet another spam-friendly country. If you are talented and knowledgeable enough to gather this kind of data, you have a valid complaint about bogus registration. Though I've already noted complaints to the registrar might fall on deaf ears, it is still a matter of principle that you try. If nothing comes of it, you have a valid complaint to InterNIC, whose job it is to enforce compliance on DNS registrations. This requires good solid evidence, but might be worth it if you can do it. Again, it's a matter of adding your voice to the choir.

Duty Bound

Is the Internet important to you? Do you intend making a lot of money from the Web, or just expect to have a lot of fun? Then consider your efforts to fight spam as part of the price you pay for connecting. There are several websites that help you identify the responsible parties for LARTing. SpamCop has some utilities for simplifying things. DNS Stuff has a set of utilities designed to query Internet data servers such as whois, reverse DNS, traceroute, etc. OpenRBL will allow you to search several different blocklists to see if a given IP has already been tagged as trouble. There are numerous other tool sites like those, so there's really very little excuse for making no effort at all.

Again, this is about trust. All the other users who suffer this abuse, who share your risk of losing the Internet altogether, are trusting you to help stop spam. Pure self-interest puts you in the same moral swamp as spammers. You don't even realize that it's in your best interest to fight back. If all you do is successfully block spam, you've done a great deal, but it's only a start. The ethics in support of the Wed of Trust is summed up in

The Boulder Pledge

Under no circumstances will I ever purchase anything offered to me as the result of an unsolicited e-mail message. Nor will I forward chain letters, petitions, mass mailings, or virus warnings to large numbers of others. This is my contribution to the survival of the online community.

Where did that come from? Look it up in your favorite search engine, and start learning how to take back the Web. A good search engine is one of your best spam-fighting tools. The Boulder Pledge started people thinking, but it left them as merely passive resisters. It was a good start, but not enough, as the flood of spam continues. So now we owe it to ourselves to go farther, to push back. Be aLART! We need more LARTs.

Ed Hurst is Associate Editor of Open for Business. Ed is also the Music Director for Grace Baptist Church of Kickapoo Creek, Texas. He loves computers, runs FreeBSD and GNU/Linux and reads all sorts of things. You can reach Ed at ehurst@ofb.biz.